Vulnerability Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Nats-Server | >= 2.2.0, < 2.11.14 |
Related Weaknesses (CWE)
References
- https://advisories.nats.io/CVE/secnote-2026-03.txtMitigationVendor Advisory
- https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6MitigationVendor Advisory
FAQ
What is CVE-2026-27889?
CVE-2026-27889 is a vulnerability with a CVSS score of 7.5 (HIGH). NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSocke...
How severe is CVE-2026-27889?
CVE-2026-27889 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27889?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Nats-Server.