Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
Related vulnerabilities
GHSA-VPRV-35VV-Q339
Vulnerability from github – Published: 2026-03-24 21:45 – Updated: 2026-03-24 21:45
VLAI?
Summary
NATS has pre-auth server panic via leafnode handling
Details
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
- This document is canonically: https://advisories.nats.io/CVE/secnote-2026-10.txt
- GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
- MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33218"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:45:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server allows hub/spoke topologies using \"leafnode\" connections by other nats-servers.\n\n### Problem Description\n\nA client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\n1. Disable leafnode support if not needed.\n2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.\n\n### References\n\n * This document is canonically: \u003chttps://advisories.nats.io/CVE/secnote-2026-10.txt\u003e\n * GHSA advisory: \u003chttps://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339\u003e\n * MITRE CVE entry: \u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218\u003e",
"id": "GHSA-vprv-35vv-q339",
"modified": "2026-03-24T21:45:29Z",
"published": "2026-03-24T21:45:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-10.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "NATS has pre-auth server panic via leafnode handling"
}