PatchSiren cyber security CVE debrief
CVE-2026-27889 nats-io CVE debrief
CVE-2026-27889 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability allows for a server panic due to a missing sanity check on a WebSockets frame. This issue was introduced in version 2.2.0 and affects versions prior to 2.11.14 and 2.12.5. The vulnerability is exploitable before authentication and is exposed to anyone who can connect to the WebSockets port. The CVSS score for this vulnerability is 7.5, indicating a high severity. A workaround is available, and defenders can mitigate the attack by restricting access to the WebSockets port or limiting exposure to untrusted endpoints.
- Vendor
- nats-io
- Product
- nats-server
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-25
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-25
- Advisory updated
- 2026-06-30
Who should care
Organizations using NATS-Server versions 2.2.0 through 2.11.13 or 2.12.0 through 2.12.4 should prioritize patching or applying the workaround. This includes deployments that use WebSockets and expose the network port to untrusted endpoints. Security teams and administrators responsible for NATS-Server deployments should be aware of this vulnerability and take immediate action to protect their systems.
Technical summary
The vulnerability in NATS-Server is caused by a missing sanity check on WebSockets frames, which can trigger a server panic. This issue affects versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The CWE-190 and CWE-1286 weaknesses are associated with this vulnerability. The vulnerability is publicly known and has been addressed in versions 2.11.14 and 2.12.5.
Defensive priority
High priority should be given to patching or applying the workaround for CVE-2026-27889. Restricting access to the WebSockets port or limiting exposure to untrusted endpoints can mitigate the attack. Security teams should prioritize deployments that use WebSockets and are exposed to untrusted endpoints.
Recommended defensive actions
- Apply patches or updates to NATS-Server versions 2.11.14 or 2.12.5.
- Restrict access to the WebSockets port.
- Limit exposure to untrusted endpoints.
- Monitor for suspicious activity on the WebSockets port.
- Review and update incident response plans.
Evidence notes
The CVE-2026-27889 vulnerability was publicly disclosed on March 25, 2026, and last modified on June 30, 2026. The vulnerability affects NATS-Server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4. The CVSS score for this vulnerability is 7.5, indicating a high severity. Multiple sources, including NVD and Red Hat, have documented this vulnerability.
Official resources
-
CVE-2026-27889 CVE record
CVE.org
-
CVE-2026-27889 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.