PatchSiren

nats-io CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH nats-io CVE published 2026-03-25

CVE-2026-33247

CVE-2026-33247 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability exposes static credentials for all clients provided via argv (the command-line) to any user who can see the monitoring port. The `/debug/vars` end-point contains an unredacted copy of argv. This issue affects NATS-Server versions prior to 2.11.15 and 2.12.6. To mitigate, configure cr [truncated]

HIGH nats-io CVE published 2026-03-25

CVE-2026-33218

CVE-2026-33218 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. The vulnerability has a CVSS score of 7.5 and is considered HIGH severity. Versions 2.11.15 and 2.12.6 of NATS-Server contain a fix for this vulnerability. As a workaround, di [truncated]

HIGH nats-io CVE published 2026-03-25

CVE-2026-33217

CVE-2026-33217 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability allows MQTT clients to bypass ACL checks for MQTT subjects when using ACLs on message subjects in the `$MQTT.> namespace. This issue was addressed in versions 2.11.15 and 2.12.6 of NATS-Server. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.1, indica [truncated]

HIGH nats-io CVE published 2026-03-25

CVE-2026-27889

CVE-2026-27889 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability allows for a server panic due to a missing sanity check on a WebSockets frame. This issue was introduced in version 2.2.0 and affects versions prior to 2.11.14 and 2.12.5. The vulnerability is exploitable before authentication and is exposed to anyone who can connect to the WebSocket [truncated]