CVE-2026-27889
Published: 25 March 2026
Summary
CVE-2026-27889 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying patches in NATS-Server versions 2.11.14 and 2.12.5 directly remediates the missing WebSockets frame sanity check causing server panic.
Validating incoming WebSockets frames ensures malformed inputs are rejected before they can trigger the unauthenticated server crash.
Denial-of-service protections limit the effects of unauthenticated attackers exploiting the WebSockets port to induce server panic and disrupt availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing NATS WebSocket endpoint via crafted frames triggers server panic, directly enabling T1190 (Exploit Public-Facing Application) for availability impact and T1499.004 (Application or System Exploitation) as the DoS mechanism.
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the…
more
nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
Deeper analysisAI
CVE-2026-27889 affects NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. The vulnerability stems from a missing sanity check on WebSockets frames, which can trigger a server panic. It impacts versions starting from 2.2.0 up to but not including 2.11.14 and 2.12.5, classified under CWE-190 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker able to connect to the exposed WebSockets port can exploit this issue, as the flaw occurs before authentication. Successful exploitation causes a denial-of-service condition by crashing the server, disrupting availability without impacting confidentiality or integrity.
Patches are available in NATS-Server versions 2.11.14 and 2.12.5, with a workaround also provided. The vulnerability is limited to deployments enabling WebSockets and exposing the port to untrusted endpoints; mitigation includes restricting WebSockets usage or network access to the port as a defense-in-depth measure. Additional details are in advisories at https://advisories.nats.io/CVE/secnote-2026-03.txt and https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6.
Details
- CWE(s)