HIGH 7.5 Go
NATS has pre-auth server panic via leafnode handling
GHSA-vprv-35vv-q339 · BIT-nats-2026-33218 · CVE-2026-33218 · GO-2026-4837
Published · Modified
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
- This document is canonically: https://advisories.nats.io/CVE/secnote-2026-10.txt
- GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
- MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218
Ready to move
Start Securing
Free, no credit card | First findings in minutes