NATS Advisories
Security advisories for the NATS.io project
To report a vulnerability, please send email to security@nats.io.
NATS Advisories
- Security Note 2026-05
- nats-server: MQTT plaintext password disclosure
CVE-2026-33216;GHSA-v722-jcv5-w7mc- 2026-03-24
- Security Note 2026-06
- nats-server: MQTT hijacking via Client ID
CVE-2026-33215;GHSA-fcjp-h8cc-6879- 2026-03-24
- Security Note 2026-07
- nats-server: MQTT ACLs ineffective
CVE-2026-33217;GHSA-jxxm-27vp-c3m5- 2026-03-24
- Security Note 2026-08
- nats-server: Leafnode spoofing of Nats-Request-Info identity information
CVE-2026-33246;GHSA-55h8-8g96-x4hj- 2026-03-24
- Security Note 2026-09
- nats-server: Internal identity header Nats-Request-Info spoofable
CVE-2026-33223;GHSA-pwx7-fx9r-hr4h- 2026-03-24
- Security Note 2026-10
- nats-server: Pre-auth server panic in leafnode handling
CVE-2026-33218;GHSA-vprv-35vv-q339- 2026-03-24
- Security Note 2026-11
- nats-server: WebSockets pre-auth DoS
CVE-2026-33219;GHSA-8r68-gvr4-jh7j- 2026-03-24
- Security Note 2026-12
- nats-server: JetStream: Stream restore endpoint auth bypass
CVE-2026-33222;GHSA-9983-vrx2-fg9c- 2026-03-24
- Security Note 2026-13
- nats-server: mTLS DN-based identity auth bypass for some DN patterns
CVE-2026-33248;GHSA-3f24-pcvm-5jqc- 2026-03-24
- Security Note 2026-14
- nats-server: credentials via command-line argv exposed to monitoring
CVE-2026-33247;GHSA-x6g4-f6q3-fqvv- 2026-03-24
- Security Note 2026-15
- nats-server: Message tracing can be redirected to arbitrary subject
CVE-2026-33249;GHSA-8m2x-3m6q-6w8j- 2026-03-24
- Security Note 2026-04
- nats-server leafnodes pre-auth server panic
CVE-2026-29785;GHSA-52jh-2xxh-pwh6- 2026-03-09
- Security Note 2026-03
- nats-server WebSockets pre-auth remote server crash
CVE-2026-27889;GHSA-pq2q-rcw4-3hr6- 2026-03-09
- Security Note 2026-02
- nats-server websockets pre-auth memory DoS
CVE-2026-27571;GHSA-qrvq-68c2-7grw- 2026-02-23
- Security Note 2026-01
- Golang TLS bug affecting rare configurations
CVE-2025-68121(Golang)- 2026-02-04
- Security Note 2025-01
CVE-2025-30215;GHSA-fhg8-qxh5-7q3w;GO-2025-3600- 2025-04-08
- Security Note 2023-02 (aka CVE-2023-46129)
- nkeys: xkeys Seal encryption used fixed key for all encryption
CVE-2023-46129;GHSA-mr45-rx8q-wcm9- 2023-10-26
- Security Note 2023-01
- Adding accounts for just the system account adds auth bypass
CVE-2023-47090;GHSA-fr2g-9hjm-wr23;GO-2023-2133- 2023-10-12
- CVE-2022-42708
- Server panic from inappropriate JetStream replica count
- 2022-10-10
- CVE-2022-42709
- Server panic from Account import loops, similar to CVE-2020-28466
- 2022-10-10
- CVE-2022-29946
- Negative user permissions not enforced in one scenario
- 2022-05-04
- CVE-2022-28357
- Arbitrary file write from the privileged system account
- 2022-04-18
- CVE-2022-26652
- Arbitrary file write by JetStream-enabled users
- 2022-03-09
- CVE-2022-24450
- Unconstrained account assumption by authenticated clients (CRITICAL)
- 2022-02-07
- CVE-2021-32026
- TLS missing ciphersuite settings when CLI flags used (v.low severity)
- 2021-05-04
- CVE-2021-3127
- Import token permissions checking not enforced
- 2021-03-15
- CVE-2020-28466
- Account service import loop caused nats-server DoS
- NATS server upgrade required to avoid Denial-of-Service
- 2021-03-15
- See also: CVE-2022-42709
- CVE-2020-26521
- Nil deref in JWT library, causing Go panic
- NATS server upgrade required to avoid Denial-of-Service
- 2020-11-02
- CVE-2020-26892
- Incorrect credential expiration handling via JWT library
- API fixes needed by library users
- NATS server upgrade required for expiration to work
- 2020-11-02
- CVE-2020-26149
- Information disclosure in JS client libraries
- MITRE
- 2020-09-29
Exposure Statements
- log4j CVE-2021-44228
- aka Log4Shell, aka LogJam
- Statement for security teams about the exposure of the NATS ecosystem