CVE-2026-33218
Modified Modified - Updated After Analysis

Denial of Service via Malformed Leafnode Message in NATS-Server

Vulnerability report for CVE-2026-33218, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-06-30
Generated
2026-07-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-1286 The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability causes a denial of service by crashing the nats-server, impacting availability but not confidentiality or integrity.

Since the vulnerability does not affect confidentiality or integrity of data, it does not directly expose personal or sensitive information.

However, the availability impact could affect compliance with standards that require system availability and resilience, such as HIPAA's requirements for availability of electronic protected health information (ePHI).

Organizations relying on nats-server should consider the risk of service disruption and apply mitigations to maintain compliance with availability requirements in regulations like GDPR and HIPAA.

Executive Summary

This vulnerability affects the NATS-Server, a high-performance messaging server used in cloud and edge native systems. Before versions 2.11.15 and 2.12.6, a client connecting to the leafnode port could send a specially malformed message before authentication, causing the server to crash.

The issue is fixed in versions 2.11.15 and 2.12.6. As a temporary workaround, users can disable leafnode support if it is not needed or restrict network access to the leafnode port to prevent exploitation.

Impact Analysis

This vulnerability can cause a denial of service by crashing the NATS-Server when a malformed message is sent to the leafnode port pre-authentication. This means the server becomes unavailable, potentially disrupting messaging services that rely on it.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your NATS-Server to version 2.11.15 or 2.12.6 or later, which contain the fix.

As a workaround, if upgrading is not immediately possible, you can disable leafnode support if it is not needed.

Alternatively, restrict network connections to the leafnode port to prevent untrusted clients from connecting, provided this does not compromise your service.

Detection Guidance

There is no specific detection method or command provided in the available resources to identify this vulnerability on your network or system.

However, general mitigation advice includes disabling leafnode support if it is not needed or restricting network access to the leafnode port to trusted sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart