{
  "threat_severity" : "Important",
  "public_date" : "2026-03-25T19:53:12Z",
  "bugzilla" : {
    "description" : "nats-server: github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed message pre-authentication on leafnode port",
    "id" : "2451450",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451450"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1286",
  "details" : [ "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.", "A flaw was found in NATS-Server, a high-performance messaging system. A remote attacker, by connecting to the leafnode port and sending a specially crafted malformed message before authentication, can cause the nats-server to crash. This vulnerability leads to a Denial of Service (DoS), making the server unavailable to legitimate users." ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33218\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33218\nhttps://advisories.nats.io/CVE/secnote-2026-10.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339" ],
  "name" : "CVE-2026-33218",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}