{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33219", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:55:28.363Z", "dateUpdated": "2026-03-25T20:10:35.721Z"}, "containers": {"cna": {"title": "NATS is vulnerable to pre-auth DoS through WebSockets client service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-02.txt"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-11.txt"}, {"name": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:55:28.363Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}], "source": {"advisory": "GHSA-8r68-gvr4-jh7j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:10:18.603979Z", "id": "CVE-2026-33219", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:10:35.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:10:18.603979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:10:29.951Z"}}], "cna": {"title": "NATS is vulnerable to pre-auth DoS through WebSockets client service", "source": {"advisory": "GHSA-8r68-gvr4-jh7j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"status": "affected", "version": "< 2.11.15"}, {"status": "affected", "version": ">= 2.12.0-RC.1, < 2.12.6"}]}], "references": [{"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "tags": ["x_refsource_MISC"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "name": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:55:28.363Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33219", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:10:35.721Z", "dateReserved": "2026-03-17T23:23:58.314Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T19:55:28.363Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}], "id": "CVE-2026-33219", "lastModified": "2026-03-25T20:16:32.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:32.777", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-02.txt"}, {"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-11.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:38:07.829210+00:00", "value": {"mitigation_remediation": ["Apply the official patch to upgrade to NATS Server 2.11.15 or later, or 2.12.6 or later", "If patching is not possible, disable WebSockets in the server configuration", "Monitor WebSocket traffic for unusually high data rates and limit connections if necessary"], "summary": {"action": "Patch Now", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "The affected product is NATS Server from nats\u2011io. Versions earlier than 2.11.15 in the 2.11 series and earlier than 2.12.6 in the 2.12 series are susceptible. The issue was fixed in later releases, so upgrading to the affected releases or newer ones eliminates the risk.", "description_and_impact": "NATS Server versions prior to 2.11.15 and 2.12.6 are vulnerable to unbounded memory usage when handling WebSocket connections before authentication, allowing a malicious client to trigger a denial of service. The flaw requires the attacker to send a large volume of data over the WebSocket port, unlike the earlier compression\u2011bomb variant, and can exhaust server memory. An attacker can force the server to become unresponsive, impacting availability for all users.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is not available, but the attack requires a substantial amount of network bandwidth and an unauthenticated WebSocket connection, meaning that a client could send enough data to exhaust memory. Although no exploitation proof of concept is documented, the conditions to trigger the denial of service are straightforward from the description."}}}}, "created": "2026-03-25T21:46:20.104179+00:00", "updated": "2026-03-25T21:46:20.104207+00:00", "vendors": []}