PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27889 nats-io CVE debrief

CVE-2026-27889 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability allows for a server panic due to a missing sanity check on a WebSockets frame. This issue was introduced in version 2.2.0 and affects versions prior to 2.11.14 and 2.12.5. The vulnerability is exploitable before authentication and is exposed to anyone who can connect to the WebSockets port. The CVSS score for this vulnerability is 7.5, indicating a high severity. A workaround is available, and defenders can mitigate the attack by restricting access to the WebSockets port or limiting exposure to untrusted endpoints.

Vendor
nats-io
Product
nats-server
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-30
Advisory published
2026-03-25
Advisory updated
2026-06-30

Who should care

Organizations using NATS-Server versions 2.2.0 through 2.11.13 or 2.12.0 through 2.12.4 should prioritize patching or applying the workaround. This includes deployments that use WebSockets and expose the network port to untrusted endpoints. Security teams and administrators responsible for NATS-Server deployments should be aware of this vulnerability and take immediate action to protect their systems.

Technical summary

The vulnerability in NATS-Server is caused by a missing sanity check on WebSockets frames, which can trigger a server panic. This issue affects versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The CWE-190 and CWE-1286 weaknesses are associated with this vulnerability. The vulnerability is publicly known and has been addressed in versions 2.11.14 and 2.12.5.

Defensive priority

High priority should be given to patching or applying the workaround for CVE-2026-27889. Restricting access to the WebSockets port or limiting exposure to untrusted endpoints can mitigate the attack. Security teams should prioritize deployments that use WebSockets and are exposed to untrusted endpoints.

Recommended defensive actions

  • Apply patches or updates to NATS-Server versions 2.11.14 or 2.12.5.
  • Restrict access to the WebSockets port.
  • Limit exposure to untrusted endpoints.
  • Monitor for suspicious activity on the WebSockets port.
  • Review and update incident response plans.

Evidence notes

The CVE-2026-27889 vulnerability was publicly disclosed on March 25, 2026, and last modified on June 30, 2026. The vulnerability affects NATS-Server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4. The CVSS score for this vulnerability is 7.5, indicating a high severity. Multiple sources, including NVD and Red Hat, have documented this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.