Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A malformed message sent to the leafnode port of NATS-Server causes a pre-authentication crash that can terminate the service. The denial of service can be triggered by any network actor that can reach the leafnode interface, without authentication, resulting in loss of availability for all connected clients. The issue arises from improper input handling and an unguarded panic path (CWE‑20 and CWE‑1286).

Affected Systems

All NATS‑IO NATS‑Server releases prior to 2.11.15 and 2.12.6 are vulnerable; any client that can connect to the leafnode port jeopardizes the system. The vulnerability impacts only the server process and does not compromise data confidentiality or integrity.

Risk and Exploitability

The CVSS score of 7.5 designates this as a high severity flaw, while an EPSS score of less than one percent indicates that exploitation is currently uncommon. It is not listed in the CISA KEV catalog. Because the leafnode port is a network-facing endpoint, an attacker who can reach it can trigger the crash immediately, with no authentication or additional privileges required. The threat is mitigated by disabling leafnode support or restricting network access to the port.

Generated by OpenCVE AI on March 26, 2026 at 18:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NATS-Server to version 2.11.15 or later 2.12.6 to apply the vendor fix.
  • If an upgrade is not immediately possible, disable the leafnode feature in the server configuration to eliminate the vulnerable code path.
  • As an additional safeguard, restrict network access to the leafnode port through firewalls or network segmentation to limit exposure.

Generated by OpenCVE AI on March 26, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vprv-35vv-q339 NATS has pre-auth server panic via leafnode handling
History

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
Title NATS has pre-auth server panic via leafnode handling
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:37:59.614Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33218

cve-icon Vulnrichment

Updated: 2026-03-26T15:37:56.298Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:32.623

Modified: 2026-03-26T17:15:02.390

Link: CVE-2026-33218

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-25T19:53:12Z

Links: CVE-2026-33218 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:11Z

Weaknesses