CVE-2026-27889
Received Received - Intake
WebSockets Frame Validation Flaw Causes NATS-Server Panic

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27889
EUVD
EUVD-2026-15962
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.5 (exc)
linuxfoundation nats-server From 2.2.0 (inc) to 2.11.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27889 is a vulnerability in the NATS Server, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments. The issue occurs in the handling of WebSocket frames before client authentication. Specifically, the server fails to properly validate the 64-bit extended payload length field in WebSocket frames, allowing a malicious client to send a specially crafted frame that triggers a server panic.

This missing sanity check causes the server to interpret a large payload length as a negative number, leading to a slice bounds out-of-range panic and crashing the entire NATS server process. The vulnerability affects versions from 2.2.0 up to versions prior to 2.11.14 and 2.12.5.

The vulnerability is exploitable by anyone able to connect to the WebSockets port, as it happens before authentication. The definitive fix is to upgrade to patched versions 2.11.14, 2.12.5, or later. Workarounds include restricting access to the WebSockets port or limiting exposure to untrusted endpoints.

Impact Analysis

This vulnerability allows a remote attacker to cause a denial of service (DoS) by crashing the entire NATS server with a single crafted WebSocket frame sent before authentication.

  • The server process terminates unexpectedly, disconnecting all clients including NATS clients, WebSocket clients, MQTT-over-WebSocket clients, cluster routes, gateways, and leaf nodes.
  • JetStream in-flight acknowledgments are lost, potentially causing message delivery issues.
  • Raft consensus in clustered deployments is disrupted, affecting cluster stability and availability.

The attack requires only a single unauthenticated TCP connection to the WebSocket port and a small amount of malicious data, making it easy to exploit if the WebSocket port is exposed to untrusted networks.

Detection Guidance

This vulnerability can be detected by monitoring for unexpected server crashes or panics in the NATS Server logs, especially those related to WebSocket frame processing before authentication.

Since the vulnerability is triggered by a specially crafted WebSocket frame, detection can involve capturing and analyzing WebSocket traffic on the exposed port for abnormal or malformed frames with suspicious 64-bit extended payload length fields.

Specific commands are not provided in the resources, but general network monitoring tools like tcpdump or Wireshark can be used to capture WebSocket traffic on the server's WebSocket port. For example:

  • tcpdump -i <interface> port <websocket_port> -w capture.pcap
  • Use Wireshark to analyze the capture.pcap file for WebSocket frames with unusual payload length fields.

Additionally, monitoring the NATS Server process for crashes or restarts can indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the WebSocket port to trusted endpoints only, or disabling WebSocket support if it is not required.

These measures reduce the attack surface by preventing untrusted clients from connecting and sending malicious frames.

The definitive fix is to upgrade the NATS Server to version 2.11.14, 2.12.5, or later, where the vulnerability has been patched by adding proper validation of the 64-bit extended payload length field.

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to cause a denial of service by crashing the NATS server when using WebSockets. While it does not directly impact confidentiality or integrity of data, the resulting server crash can disrupt availability of services relying on NATS Server, including cloud, on-premise, IoT, and edge computing environments.

Disruptions to availability can affect compliance with standards and regulations such as GDPR and HIPAA, which require maintaining availability and resilience of systems processing personal or sensitive data. A denial of service could lead to service outages, loss of in-flight acknowledgments, and disruption of clustered deployments, potentially impacting the ability to meet these regulatory requirements.

Mitigations include restricting access to the WebSockets port or upgrading to fixed versions, which help maintain compliance by reducing the risk of service disruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart