CVE-2026-33218
Published: 25 March 2026
Summary
CVE-2026-33218 is a high-severity Improper Input Validation (CWE-20) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Ensures timely identification, reporting, and patching of flaws like the improper input validation in NATS-Server that allows pre-authentication DoS crashes.
Requires validation of information inputs such as malformed leafnode messages to prevent server crashes from unauthenticated remote clients.
Monitors and controls network communications to the leafnode port, restricting access as a workaround to block unauthenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malformed unauthenticated message to exposed leafnode port triggers server crash via input validation flaw, directly enabling Application or System Exploitation for Endpoint Denial of Service.
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions…
more
2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
Deeper analysisAI
CVE-2026-33218 is a denial-of-service vulnerability in NATS-Server, the high-performance server implementation for NATS.io, a cloud and edge native messaging system. Versions prior to 2.11.15 and 2.12.6 are affected, where a remote client can crash the server by sending a specifically malformed message to the leafnode port prior to authentication. The issue stems from improper input validation (CWE-20) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to the exposed leafnode port can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Successful exploitation causes an immediate crash of the nats-server process, leading to a denial-of-service condition that disrupts messaging services until the server is restarted.
Patched versions 2.11.15 and 2.12.6 resolve the issue, and upgrading is the primary mitigation recommended in the NATS security advisory (https://advisories.nats.io/CVE/secnote-2026-10.txt) and GitHub advisory (https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339). Workarounds include disabling leafnode support if not needed or restricting network access to the leafnode port, provided it does not compromise required service functionality.
Details
- CWE(s)