CVE-2026-33218
ADVISORY - githubSummary
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
- This document is canonically: https://advisories.nats.io/CVE/secnote-2026-10.txt
- GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
- MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218
EPSS Score: 0.00166 (0.377)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Input Validation
ADVISORY - github
Improper Input Validation
ADVISORY - redhat
Improper Validation of Syntactic Correctness of Input
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in