CVE-2026-33218 PUBLISHED

NATS has pre-auth server panic via leafnode handling

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 25.03.2026 Updated: 26.03.2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	nats-io
Product	nats-server
Versions	Version < < 2.11.15 is affected Version >= 2.12.0-RC.1, < 2.12.6 is affected

References

Problem Types

CWE-20: Improper Input Validation CWE