CVE-2026-33218
Received Received - Intake
Denial of Service via Malformed Leafnode Message in NATS-Server

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33218
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the NATS-Server, a high-performance messaging server used in cloud and edge native systems. Before versions 2.11.15 and 2.12.6, a client connecting to the leafnode port could send a specially malformed message before authentication, causing the server to crash.

The issue is fixed in versions 2.11.15 and 2.12.6. As a temporary workaround, users can disable leafnode support if it is not needed or restrict network access to the leafnode port to prevent exploitation.

Compliance Impact

This vulnerability causes a denial of service by crashing the nats-server, impacting availability but not confidentiality or integrity.

Since the vulnerability does not affect confidentiality or integrity of data, it does not directly expose personal or sensitive information.

However, the availability impact could affect compliance with standards that require system availability and resilience, such as HIPAA's requirements for availability of electronic protected health information (ePHI).

Organizations relying on nats-server should consider the risk of service disruption and apply mitigations to maintain compliance with availability requirements in regulations like GDPR and HIPAA.

Detection Guidance

There is no specific detection method or command provided in the available resources to identify this vulnerability on your network or system.

However, general mitigation advice includes disabling leafnode support if it is not needed or restricting network access to the leafnode port to trusted sources.

Impact Analysis

This vulnerability can cause a denial of service by crashing the NATS-Server when a malformed message is sent to the leafnode port pre-authentication. This means the server becomes unavailable, potentially disrupting messaging services that rely on it.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your NATS-Server to version 2.11.15 or 2.12.6 or later, which contain the fix.

As a workaround, if upgrading is not immediately possible, you can disable leafnode support if it is not needed.

Alternatively, restrict network connections to the leafnode port to prevent untrusted clients from connecting, provided this does not compromise your service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart