Subject: nats-server: WebSockets pre-auth DoS

NATS-advisory-ID: 2026-11
Aliases: CVE-2026-33219, GHSA-8r68-gvr4-jh7j
Date: 2026-03-24
Fixed-In: 2.12.6, 2.11.15

Background:

NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a WebSockets client service, used in deployments
where browsers are the NATS clients.


Problem Description:

A malicious client which can connect to the WebSockets port can cause
unbounded memory use in the nats-server before authentication; this
requires sending a corresponding amount of data.

This is a milder variant of NATS-advisory-ID 2026-02
(aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not.
Attacks against this new issue thus require significant client bandwidth.


Affected Versions:

 nats-server: any version before v2.12.6 or v2.11.15


Workarounds:

Disable websockets if not required for your deployment.


References:

 * This document is canonically:
   <https://advisories.nats.io/CVE/secnote-2026-11.txt>
 * GHSA advisory:
   <https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j>
 * MITRE CVE entry:
   <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33219>