Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A malicious client can connect to the NATS Server’s WebSockets port before authentication and send a large amount of data, causing the server to allocate unbounded memory. This results in memory exhaustion, making the server unresponsive or causing it to terminate, thereby denying service to legitimate users. The weakness is a form of resource exhaustion, reflected in CWE‑770.

Affected Systems

This issue affects nats-io NATS Server versions earlier than 2.11.15 and 2.12.6. The fixed releases, 2.11.15 and newer as well as 2.12.6 and newer, contain a patch that mitigates the vulnerability.

Risk and Exploitability

The CVSS score of 5.3 classifies the problem as medium severity, while an EPSS score below 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs network reach to the WebSockets port and the ability to send a large volume of data; no authentication or elevated privileges are required, but the bandwidth requirement limits the practical threat to most deployments.

Generated by OpenCVE AI on March 26, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to nats-server version 2.11.15 or later or 2.12.6 or later
  • If an upgrade is not feasible, disable the WebSockets interface for the deployment
  • Monitor WebSocket traffic and server memory usage for abnormal spikes

Generated by OpenCVE AI on March 26, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8r68-gvr4-jh7j NATS is vulnerable to pre-auth DoS through WebSockets client service
History

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
Title NATS is vulnerable to pre-auth DoS through WebSockets client service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:10:35.721Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33219

cve-icon Vulnrichment

Updated: 2026-03-25T20:10:29.951Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:32.777

Modified: 2026-03-26T17:15:18.327

Link: CVE-2026-33219

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-25T19:55:28Z

Links: CVE-2026-33219 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:10Z

Weaknesses