CVE-2026-33218

ADVISORY - github

Summary

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable leafnode support if not needed.
Restrict network connections to your leafnode port, if plausible without compromising the service offered.

References

This document is canonically: https://advisories.nats.io/CVE/secnote-2026-10.txt
GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20⁠

Improper Input Validation

ADVISORY - github

CWE-20⁠

Improper Input Validation

ADVISORY - redhat

CWE-1286⁠

Improper Validation of Syntactic Correctness of Input

Impacted images

Advisories

NIST

CREATED

1 day ago

UPDATED

10 hours ago

ADVISORY IDCVE-2026-33218⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠

CVSS SCORE

7.5high

GitHub

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY IDGHSA-vprv-35vv-q339⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠

CVSS SCORE

7.5high

Alpine

CREATED

8 hours ago

UPDATED

8 hours ago

ADVISORY IDCVE-2026-33218⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

16 hours ago

UPDATED

16 hours ago

ADVISORY IDCVE-2026-33218⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

2 hours ago

UPDATED

2 hours ago

ADVISORY IDCVE-2026-33218⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

GoLang

CREATED

7 hours ago

UPDATED

7 hours ago

ADVISORY IDGO-2026-4837⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Red Hat

CREATED

1 day ago

UPDATED

1 day ago

ADVISORY IDCVE-2026-33218⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1286⁠

CVSS SCORE

7.5high

Chainguard

CREATED

2 hours ago

UPDATED

2 hours ago

ADVISORY ID

CGA-32mq-856x-9662

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY ID

MINI-726c-j879-4jgg

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY