CVE-2026-33218

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server is a high-performance server for NATS.io, a cloud and edge native messaging system. A client connected to the leafnode port can crash the server with a specifically crafted, malformed message during pre-authentication. The server supports hub/spoke topologies using leafnode connections from other nats-servers.

Recommendations Versions prior to 2.11.15 should be updated to version 2.11.15 or later. Versions prior to 2.12.6 should be updated to version 2.12.6 or later. If leafnode support is not needed, disable it. Restrict network connections to the leafnode port if possible without impacting service.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BIT-NATS-2026-33218

CVE-2026-33218

GHSA-VPRV-35VV-Q339

GO-2026-4837

SUSE-SU-2026:1135-1

Affected Products

Nats Server

CVE-2026-33218

Weakness Enumeration

Related Identifiers

Affected Products

References · 156