{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33218", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:53:12.075Z", "dateUpdated": "2026-03-25T19:53:12.075Z"}, "containers": {"cna": {"title": "NATS has pre-auth server panic via leafnode handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-10.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-10.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< < 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:53:12.075Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered."}], "source": {"advisory": "GHSA-vprv-35vv-q339", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered."}], "id": "CVE-2026-33218", "lastModified": "2026-03-25T20:16:32.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:32.623", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-10.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "nats-server: github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed message pre-authentication on leafnode port", "id": "2451450", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451450"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1286", "details": ["A flaw was found in NATS-Server, a high-performance messaging system. A remote attacker, by connecting to the leafnode port and sending a specially crafted malformed message before authentication, can cause the nats-server to crash. This vulnerability leads to a Denial of Service (DoS), making the server unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33218", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T19:53:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33218\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33218\nhttps://advisories.nats.io/CVE/secnote-2026-10.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-03-25T21:38:17.443146+00:00", "value": {"mitigation_remediation": ["Upgrade NATS-Server to version 2.11.15 or later (\u22652.12.6).", "Disable leafnode support if an upgrade cannot be performed immediately.", "Restrict access to the leafnode port via firewall or network segmentation to limit exposure."], "summary": {"action": "Patch immediately", "impact": "Server crash leading to denial of service"}, "threat_synthesis": {"affected_systems": "The NATS-Server process distributed by NATS.io is affected. Versions up to but not including 2.11.15 and 2.12.6 are vulnerable. These include the 2.11 branch before 2.11.15 and the 2.12 branch before 2.12.6. Upgrading to 2.11.15 or 2.12.6 or later resolves the issue.", "description_and_impact": "A malformed leafnode message can trigger a panic before authentication, causing the NATS-Server to crash. This denial-of-service vulnerability arises from inadequate input validation (CWE-20). Once exploited, the server becomes unavailable, disrupting message delivery across the system.", "risk_and_exploitability": "The CVSS score of 7.5 classifies this flaw as high impact. No EPSS score is available, and it is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation yet. Attackers can reach the vulnerable leafnode port over the network, then send the crafted malformed message; no additional privileges are required. Consequences include sudden service outages, affecting all clients relying on the affected NATS instance."}}}}, "created": "2026-03-25T21:46:21.150572+00:00", "updated": "2026-03-25T21:46:21.150597+00:00", "vendors": []}