Memory Vulnerability in NATS-Server by NATS.io
CVE-2026-33219

5.3MEDIUM

Key Information:

Vendor: Nats-io
Status: Nats-server
Vendor: CVE Published:; 25 March 2026

🔔 Create Nats-io Vulnerability Alert

What is CVE-2026-33219?

A vulnerability in NATS-Server lets a malicious client connect to the WebSockets port and cause excessive memory usage before authentication. This requires the client to send a substantial amount of data, which can potentially hinder server performance. Versions 2.11.15 and 2.12.6 include fixes for this issue. Users are advised to disable WebSockets if they are not essential for deployment.

Affected Version(s)

nats-server < 2.11.15 < 2.11.15

nats-server >= 2.12.0-RC.1, < 2.12.6 < 2.12.0-RC.1, 2.12.6

References

https://github.com/nats-io/nats-server/security/advisorie...

x_refsource_CONFIRM

https://advisories.nats.io/CVE/secnote-2026-02.txt

x_refsource_MISC

https://advisories.nats.io/CVE/secnote-2026-11.txt

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33219 Data

.