Vulnerability-Lookup

CVE-2026-29785 (GCVE-0-2026-29785)

Vulnerability from cvelistv5 – Published: 2026-03-25 19:38 – Updated: 2026-03-28 01:34

Title

NATS Server panic via malicious compression on leafnode port

Summary

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nats-io/nats-server/security/a…	x_refsource_CONFIRM
	https://github.com/nats-io/nats-server/commit/a14…	x_refsource_MISC
	https://advisories.nats.io/CVE/secnote-2026-04.txt	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nats-io	nats-server	Affected: < 2.11.14 Affected: >= 2.12.0-RC.1, < 2.12.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29785",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-28T01:33:48.548539Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-28T01:34:06.528Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nats-server",
          "vendor": "nats-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T19:40:51.282Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"
        },
        {
          "name": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"
        },
        {
          "name": "https://advisories.nats.io/CVE/secnote-2026-04.txt",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"
        }
      ],
      "source": {
        "advisory": "GHSA-52jh-2xxh-pwh6",
        "discovery": "UNKNOWN"
      },
      "title": "NATS Server panic via malicious compression on leafnode port"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29785",
    "datePublished": "2026-03-25T19:38:44.587Z",
    "dateReserved": "2026-03-04T16:26:02.899Z",
    "dateUpdated": "2026-03-28T01:34:06.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29785\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-25T20:16:30.373\",\"lastModified\":\"2026-03-26T17:13:31.983\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \\\"leafnode\\\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.\"},{\"lang\":\"es\",\"value\":\"NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. Antes de las versiones 2.11.14 y 2.12.5, si el nats-server tiene la configuraci\u00f3n \u0027leafnode\u0027 habilitada (no predeterminada), entonces cualquiera que pueda conectarse puede bloquear el nats-server al desencadenar un p\u00e1nico. Esto ocurre antes de la autenticaci\u00f3n y requiere que la compresi\u00f3n est\u00e9 habilitada (lo cual est\u00e1 habilitado, por defecto, cuando se usan leafnodes). Las versiones 2.11.14 y 2.12.5 contienen una correcci\u00f3n. Como soluci\u00f3n alternativa, deshabilite la compresi\u00f3n en el puerto leafnode.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.14\",\"matchCriteriaId\":\"4AC9CDDF-79F4-406A-8BD9-B19953A76A4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.12.0\",\"versionEndExcluding\":\"2.12.5\",\"matchCriteriaId\":\"B141DA72-3502-4746-A246-EE1087C993F4\"}]}]}],\"references\":[{\"url\":\"https://advisories.nats.io/CVE/secnote-2026-04.txt\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29785\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-28T01:33:48.548539Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-28T01:34:01.250Z\"}}], \"cna\": {\"title\": \"NATS Server panic via malicious compression on leafnode port\", \"source\": {\"advisory\": \"GHSA-52jh-2xxh-pwh6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nats-io\", \"product\": \"nats-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.12.0-RC.1, \u003c 2.12.5\"}]}], \"references\": [{\"url\": \"https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6\", \"name\": \"https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8\", \"name\": \"https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://advisories.nats.io/CVE/secnote-2026-04.txt\", \"name\": \"https://advisories.nats.io/CVE/secnote-2026-04.txt\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \\\"leafnode\\\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476: NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T19:40:51.282Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29785\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-28T01:34:06.528Z\", \"dateReserved\": \"2026-03-04T16:26:02.899Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T19:38:44.587Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

WID-SEC-W-2026-0641

Vulnerability from csaf_certbund - Published: 2026-03-09 23:00 - Updated: 2026-03-25 23:00

Summary

NATS Server: Mehrere Schwachstellen ermöglichen Denial of Service

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der NATS-Server ist ein Server für NATS.io, das Cloud- und Edge-native Messaging-System.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NATS Server ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-27889

CVE-2026-29785

References

URL

bit-nats-2026-29785

Vulnerability from bitnami_vulndb

Published

2026-03-27 17:45

Modified

2026-03-27 18:14

Summary

NATS Server panic via malicious compression on leafnode port

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "nats",
        "purl": "pkg:bitnami/nats"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.14"
            },
            {
              "introduced": "2.12.0"
            },
            {
              "fixed": "2.12.5"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29785"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:nats:nats_server:*:*:*:*:*:go:*:*"
    ],
    "severity": "High"
  },
  "details": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.",
  "id": "BIT-nats-2026-29785",
  "modified": "2026-03-27T18:14:10.313Z",
  "published": "2026-03-27T17:45:10.061Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29785"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "NATS Server panic via malicious compression on leafnode port"
}

MSRC_CVE-2026-29785

Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-04-08 01:38

Summary

NATS Server panic via malicious compression on leafnode port

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-29785

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

None Available There is no fix available for this vulnerability as of now

Vendor Fix 1.31.0-18:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade https://learn.microsoft.com/en-us/azure/azure-lin…

References

URL

GHSA-52JH-2XXH-PWH6

Vulnerability from github – Published: 2026-03-24 21:29 – Updated: 2026-03-27 22:09

Summary

NATS Server panic via malicious compression on leafnode port

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.

Problem Description

If the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).

Context: a NATS server can form various clustering topologies, including local clusters, and superclusters of clusters, but leafnodes allow for separate administrative domains to link together with limited data communication; eg, a server in a moving vehicle might use a local leafnode for agents to connect to, and sync up to a central service as and when available. The leafnode configuration here is where the central server allows other NATS servers to connect into it, almost like regular NATS clients. Documentation examples typically use port 7422 for leafnode communications.

Affected Versions

Version 2, prior to v2.11.14 or v2.12.5

Workarounds

Disable compression on the leafnode port:

leafnodes {
  port: 7422
  compression: off
}

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0-RC.1"
            },
            {
              "fixed": "2.12.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T21:29:06Z",
    "nvd_published_at": "2026-03-25T20:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nWhen configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.\n\n### Problem Description\n\nIf the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).\n\nContext: a NATS server can form various clustering topologies, including local clusters, and superclusters of clusters, but leafnodes allow for separate administrative domains to link together with limited data communication; eg, a server in a moving vehicle might use a local leafnode for agents to connect to, and sync up to a central service as and when available. The leafnode configuration here is where the central server allows other NATS servers to connect into it, almost like regular NATS clients. Documentation examples typically use port 7422 for leafnode communications.\n\n### Affected Versions\n\nVersion 2, prior to v2.11.14 or v2.12.5\n\n### Workarounds\n\nDisable compression on the leafnode port:\n\n```\nleafnodes {\n  port: 7422\n  compression: off\n}\n```",
  "id": "GHSA-52jh-2xxh-pwh6",
  "modified": "2026-03-27T22:09:21Z",
  "published": "2026-03-24T21:29:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"
    },
    {
      "type": "WEB",
      "url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nats-io/nats-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NATS Server panic via malicious compression on leafnode port"
}

FKIE_CVE-2026-29785

Vulnerability from fkie_nvd - Published: 2026-03-25 20:16 - Updated: 2026-03-26 17:13

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://advisories.nats.io/CVE/secnote-2026-04.txt	Mitigation, Vendor Advisory
security-advisories@github.com	https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8	Patch
security-advisories@github.com	https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6	Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	linuxfoundation	nats-server	*
	linuxfoundation	nats-server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AC9CDDF-79F4-406A-8BD9-B19953A76A4F",
              "versionEndExcluding": "2.11.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B141DA72-3502-4746-A246-EE1087C993F4",
              "versionEndExcluding": "2.12.5",
              "versionStartIncluding": "2.12.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port."
    },
    {
      "lang": "es",
      "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. Antes de las versiones 2.11.14 y 2.12.5, si el nats-server tiene la configuraci\u00f3n \u0027leafnode\u0027 habilitada (no predeterminada), entonces cualquiera que pueda conectarse puede bloquear el nats-server al desencadenar un p\u00e1nico. Esto ocurre antes de la autenticaci\u00f3n y requiere que la compresi\u00f3n est\u00e9 habilitada (lo cual est\u00e1 habilitado, por defecto, cuando se usan leafnodes). Las versiones 2.11.14 y 2.12.5 contienen una correcci\u00f3n. Como soluci\u00f3n alternativa, deshabilite la compresi\u00f3n en el puerto leafnode."
    }
  ],
  "id": "CVE-2026-29785",
  "lastModified": "2026-03-26T17:13:31.983",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-25T20:16:30.373",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

CERTFR-2026-AVI-0406

Vulnerability from certfr_avis - Published: 2026-04-08 - Updated: 2026-04-08

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	azl3 python-ecdsa 0.18.0-2 versions antérieures à 0.19.2-1
Microsoft	N/A	azl3 freeipmi 1.6.11-1 versions antérieures à 1.6.17-1
Microsoft	N/A	azl3 kernel 6.6.130.1-3 versions antérieures à 6.6.130.1-3
Microsoft	N/A	azl3 nodejs 20.14.0-14 versions antérieures à 20.14.0-15
Microsoft	N/A	azl3 gdk-pixbuf2 2.42.10-4 versions antérieures à 2.42.10-5
Microsoft	N/A	azl3 vim 9.2.0240-1 versions antérieures à 9.2.0315-1
Microsoft	N/A	azl3 telegraf 1.31.0-17 versions antérieures à 1.31.0-18

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29785 (GCVE-0-2026-29785)

WID-SEC-W-2026-0641

bit-nats-2026-29785

Vulnerability from bitnami_vulndb

MSRC_CVE-2026-29785

GHSA-52JH-2XXH-PWH6

Background

Problem Description

Affected Versions

Workarounds

FKIE_CVE-2026-29785

CERTFR-2026-AVI-0406

Solutions

Tags

Sightings

Nomenclature