{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33218", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:53:12.075Z", "dateUpdated": "2026-03-25T19:53:12.075Z"}, "containers": {"cna": {"title": "NATS has pre-auth server panic via leafnode handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-10.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-10.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< < 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:53:12.075Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered."}], "source": {"advisory": "GHSA-vprv-35vv-q339", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered."}], "id": "CVE-2026-33218", "lastModified": "2026-03-25T20:16:32.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:32.623", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-10.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:38:17.443146+00:00", "value": {"mitigation_remediation": ["Upgrade NATS-Server to version 2.11.15 or later (\u22652.12.6).", "Disable leafnode support if an upgrade cannot be performed immediately.", "Restrict access to the leafnode port via firewall or network segmentation to limit exposure."], "summary": {"action": "Patch immediately", "impact": "Server crash leading to denial of service"}, "threat_synthesis": {"affected_systems": "The NATS-Server process distributed by NATS.io is affected. Versions up to but not including 2.11.15 and 2.12.6 are vulnerable. These include the 2.11 branch before 2.11.15 and the 2.12 branch before 2.12.6. Upgrading to 2.11.15 or 2.12.6 or later resolves the issue.", "description_and_impact": "A malformed leafnode message can trigger a panic before authentication, causing the NATS-Server to crash. This denial-of-service vulnerability arises from inadequate input validation (CWE-20). Once exploited, the server becomes unavailable, disrupting message delivery across the system.", "risk_and_exploitability": "The CVSS score of 7.5 classifies this flaw as high impact. No EPSS score is available, and it is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation yet. Attackers can reach the vulnerable leafnode port over the network, then send the crafted malformed message; no additional privileges are required. Consequences include sudden service outages, affecting all clients relying on the affected NATS instance."}}}}, "created": "2026-03-25T21:46:21.150572+00:00", "updated": "2026-03-25T21:46:21.150597+00:00", "vendors": []}