NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571.
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix.
As a workaround, disable websockets if not required for project deployment.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Linuxfoundation Nats-Server
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
|
— |
2.11.15
|
|
Linuxfoundation Nats-Server
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
|
2.12.0
|
2.12.6
|
References 4
https://advisories.nats.io/CVE/secnote-2026-02.txt
security-advisories@github.com
https://advisories.nats.io/CVE/secnote-2026-11.txt
security-advisories@github.com
https://github.com/advisories/GHSA-qrvq-68c2-7grw
security-advisories@github.com
https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j
security-advisories@github.com