{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33219", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:55:28.363Z", "dateUpdated": "2026-03-25T20:10:35.721Z"}, "containers": {"cna": {"title": "NATS is vulnerable to pre-auth DoS through WebSockets client service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-02.txt"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-11.txt"}, {"name": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:55:28.363Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}], "source": {"advisory": "GHSA-8r68-gvr4-jh7j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:10:18.603979Z", "id": "CVE-2026-33219", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:10:35.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:10:18.603979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:10:29.951Z"}}], "cna": {"title": "NATS is vulnerable to pre-auth DoS through WebSockets client service", "source": {"advisory": "GHSA-8r68-gvr4-jh7j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"status": "affected", "version": "< 2.11.15"}, {"status": "affected", "version": ">= 2.12.0-RC.1, < 2.12.6"}]}], "references": [{"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "tags": ["x_refsource_MISC"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "name": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:55:28.363Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33219", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:10:35.721Z", "dateReserved": "2026-03-17T23:23:58.314Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T19:55:28.363Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}], "id": "CVE-2026-33219", "lastModified": "2026-03-26T17:15:18.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:32.777", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-02.txt"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-11.txt"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets", "id": "2451445", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451445"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in NATS-Server. A malicious client connecting to the WebSockets port can cause unbounded memory use before authentication by sending a large amount of data. This resource exhaustion vulnerability can lead to a Denial of Service (DoS) for the server, making it unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33219", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T19:55:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33219\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33219\nhttps://advisories.nats.io/CVE/secnote-2026-02.txt\nhttps://advisories.nats.io/CVE/secnote-2026-11.txt\nhttps://github.com/advisories/GHSA-qrvq-68c2-7grw\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-RC.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T18:54:49.735335+00:00", "value": {"mitigation_remediation": ["Upgrade to nats-server version 2.11.15 or later or 2.12.6 or later", "If an upgrade is not feasible, disable the WebSockets interface for the deployment", "Monitor WebSocket traffic and server memory usage for abnormal spikes"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "This issue affects nats-io NATS Server versions earlier than 2.11.15 and 2.12.6. The fixed releases, 2.11.15 and newer as well as 2.12.6 and newer, contain a patch that mitigates the vulnerability.", "description_and_impact": "A malicious client can connect to the NATS Server\u2019s WebSockets port before authentication and send a large amount of data, causing the server to allocate unbounded memory. This results in memory exhaustion, making the server unresponsive or causing it to terminate, thereby denying service to legitimate users. The weakness is a form of resource exhaustion, reflected in CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the problem as medium severity, while an EPSS score below 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs network reach to the WebSockets port and the ability to send a large volume of data; no authentication or elevated privileges are required, but the bandwidth requirement limits the practical threat to most deployments."}}}}, "created": "2026-03-25T21:46:20.104179+00:00", "updated": "2026-03-27T09:30:10.884578+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}