{"api_version":"1","generated_at":"2026-07-13T07:40:37+00:00","cve":"CVE-2026-33219","urls":{"html":"https://cve.report/CVE-2026-33219","api":"https://cve.report/api/cve/CVE-2026-33219.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33219","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33219"},"summary":{"title":"NATS is vulnerable to pre-auth DoS through WebSockets client service","description":"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-25 20:16:32","updated_at":"2026-06-30 03:18:38"},"problem_types":["CWE-770","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling","CWE-770 Allocation of Resources Without Limits or Throttling"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"}}],"references":[{"url":"https://advisories.nats.io/CVE/secnote-2026-02.txt","name":"https://advisories.nats.io/CVE/secnote-2026-02.txt","refsource":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/advisories/GHSA-qrvq-68c2-7grw","name":"https://github.com/advisories/GHSA-qrvq-68c2-7grw","refsource":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33219.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33219.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-33219","name":"https://access.redhat.com/security/cve/CVE-2026-33219","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451445","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2451445","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:21769","name":"https://access.redhat.com/errata/RHSA-2026:21769","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j","name":"https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j","refsource":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:23345","name":"https://access.redhat.com/errata/RHSA-2026:23345","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:22347","name":"https://access.redhat.com/errata/RHSA-2026:22347","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://advisories.nats.io/CVE/secnote-2026-11.txt","name":"https://advisories.nats.io/CVE/secnote-2026-11.txt","refsource":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33219","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33219","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"nats-io","product":"nats-server","version":"affected < 2.11.15","platforms":[]},{"source":"CNA","vendor":"nats-io","product":"nats-server","version":"affected >= 2.12.0-RC.1, < 2.12.6","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Multicluster Global Hub 1.4.5","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Multicluster Global Hub 1.5.4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Multicluster Global Hub 1.6.2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-03-25T20:01:41.235Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-03-25T19:55:28.363Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:22347: Multicluster Global Hub 1.4.5","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:21769: Multicluster Global Hub 1.5.4","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:23345: Multicluster Global Hub 1.6.2","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"33219","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"nats-server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-33219","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-25T20:10:18.603979Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-25T20:10:35.721Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.4::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.4.5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.5::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.5.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub:1.6::el9"],"defaultStatus":"affected","product":"Multicluster Global Hub 1.6.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"}],"datePublic":"2026-03-25T19:55:28.363Z","descriptions":[{"lang":"en","value":"A flaw was found in NATS-Server. A malicious client connecting to the WebSockets port can cause unbounded memory use before authentication by sending a large amount of data. This resource exhaustion vulnerability can lead to a Denial of Service (DoS) for the server, making it unavailable to legitimate users."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:45:08.688Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-33219"},{"name":"RHBZ#2451445","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2451445"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33219.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22347"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21769"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23345"}],"solutions":[{"lang":"en","value":"RHSA-2026:22347: Multicluster Global Hub 1.4.5"},{"lang":"en","value":"RHSA-2026:21769: Multicluster Global Hub 1.5.4"},{"lang":"en","value":"RHSA-2026:23345: Multicluster Global Hub 1.6.2"}],"timeline":[{"lang":"en","time":"2026-03-25T20:01:41.235Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-25T19:55:28.363Z","value":"Made public."}],"title":"github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"nats-server","vendor":"nats-io","versions":[{"status":"affected","version":"< 2.11.15"},{"status":"affected","version":">= 2.12.0-RC.1, < 2.12.6"}]}],"descriptions":[{"lang":"en","value":"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"CWE-770: Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-25T19:55:28.363Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j","tags":["x_refsource_CONFIRM"],"url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"},{"name":"https://advisories.nats.io/CVE/secnote-2026-02.txt","tags":["x_refsource_MISC"],"url":"https://advisories.nats.io/CVE/secnote-2026-02.txt"},{"name":"https://advisories.nats.io/CVE/secnote-2026-11.txt","tags":["x_refsource_MISC"],"url":"https://advisories.nats.io/CVE/secnote-2026-11.txt"},{"name":"https://github.com/advisories/GHSA-qrvq-68c2-7grw","tags":["x_refsource_MISC"],"url":"https://github.com/advisories/GHSA-qrvq-68c2-7grw"}],"source":{"advisory":"GHSA-8r68-gvr4-jh7j","discovery":"UNKNOWN"},"title":"NATS is vulnerable to pre-auth DoS through WebSockets client service"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-33219","datePublished":"2026-03-25T19:55:28.363Z","dateReserved":"2026-03-17T23:23:58.314Z","dateUpdated":"2026-06-30T02:45:08.688Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 20:16:32","lastModifiedDate":"2026-06-30 03:18:38","problem_types":["CWE-770","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling","CWE-770 Allocation of Resources Without Limits or Throttling"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-25T20:10:18.603979Z","id":"CVE-2026-33219","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*","versionEndExcluding":"2.11.15","matchCriteriaId":"13EA156E-2759-4586-A22E-CDEAAD4D610C"},{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.12.0","versionEndExcluding":"2.12.6","matchCriteriaId":"4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33219","Ordinal":"1","Title":"NATS is vulnerable to pre-auth DoS through WebSockets client ser","CVE":"CVE-2026-33219","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33219","Ordinal":"1","NoteData":"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.","Type":"Description","Title":"NATS is vulnerable to pre-auth DoS through WebSockets client ser"}]}}}