Primary

Context

NATS-Server WebSockets Pre-Authentication Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in NATS-Server versions prior to 2.11.15 and 2.12.6. This issue allows a malicious client to cause unbounded memory usage by sending a large amount of data over an unprotected WebSockets connection, before authentication is required. The vulnerability is a milder variant of CVE-2026-27571, as it does not involve a compression bomb, but still requires significant client bandwidth to exploit.

Impact

Exploitation of this vulnerability leads to excessive memory consumption, which can cause the operating system to terminate the NATS-Server process.

Remediation

Users can upgrade to NATS-Server versions 2.11.15 or 2.12.6. If WebSockets are not needed for the deployment, they can be disabled.

Added: Mar 25, 2026, 10:26 PM

Updated: Mar 25, 2026, 10:26 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

8.1

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

8.1

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NATS-Server WebSockets Pre-Authentication Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

NATS-Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating