CVE-2026-33218 HIGH

CVE-2026-33218: NATS has pre-auth server panic via leafnode handling

Vendor Nats-Io

Product nats-server

Weakness CWE-20 · Input validation

Published March 25, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.

Key dates

02Disclosure timeline

March 25, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33218 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2026-33218

CWE CWE-20

CVSS 7.5 / HIGH

Affected versions

Vendor Nats-Io

Product nats-server

Affected < < 2.11.15

Vendor Nats-Io

Product nats-server

Affected >= 2.12.0-RC.1, < 2.12.6

CVE-2026-33218: NATS has pre-auth server panic via leafnode handling

01Description

02Disclosure timeline

03References

04Related CVE