CVE-2026-33219

NATS is vulnerable to pre-auth DoS through WebSockets client service

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 25.03.2026 Updated: 25.03.2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	nats-io
Product	nats-server
Versions	Version < 2.11.15 is affected Version >= 2.12.0-RC.1, < 2.12.6 is affected

Vendor

nats-io

Product

nats-server

Versions

Version < 2.11.15 is affected
Version >= 2.12.0-RC.1, < 2.12.6 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-33219 PUBLISHED

NATS is vulnerable to pre-auth DoS through WebSockets client service

Metrics

Product Status

References

Problem Types