CVE-2026-33218
HIGH
CVSS 7.5
No EPSS data
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-33218",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 7.5,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"integrityImpact": "NONE",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "NONE"
},
"impactScore": 3.6,
"exploitabilityScore": 3.9
}
]
},
"published": "2026-03-25T20:16:32.623",
"references": [
{
"url": "https://advisories.nats.io/CVE/secnote-2026-10.txt",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered."
},
{
"lang": "es",
"value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, un cliente que puede conectarse al puerto leafnode puede bloquear el nats-server con un mensaje malformado espec\u00edfico pre-autenticaci\u00f3n. Las versiones 2.11.15 y 2.12.6 contienen una correcci\u00f3n. Como soluci\u00f3n alternativa, deshabilite el soporte de leafnode si no es necesario o restrinja las conexiones de red al puerto leafnode, si es factible sin comprometer el servicio ofrecido."
}
],
"lastModified": "2026-03-26T17:15:02.390",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C",
"versionEndExcluding": "2.11.15"
},
{
"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154",
"versionEndExcluding": "2.12.6",
"versionStartIncluding": "2.12.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}