CVE-2026-33218: NATS has pre-auth server panic via leafnode handling
(updated )
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using “leafnode” connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
- This document is canonically: https://advisories.nats.io/CVE/secnote-2026-10.txt
- GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
- MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218
References
Code Behaviors & Features
Detect and mitigate CVE-2026-33218 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →