{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.716Z", "datePublished": "2026-03-25T19:36:36.370Z", "dateUpdated": "2026-03-25T20:06:31.897Z"}, "containers": {"cna": {"title": "NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-03.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-03.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": ">= 2.2.0, < 2.11.14", "status": "affected"}, {"version": ">= 2.12.0, < 2.12.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:36:36.370Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack."}], "source": {"advisory": "GHSA-pq2q-rcw4-3hr6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:06:22.827675Z", "id": "CVE-2026-27889", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:06:31.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27889", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:06:22.827675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:06:28.024Z"}}], "cna": {"title": "NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead", "source": {"advisory": "GHSA-pq2q-rcw4-3hr6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"status": "affected", "version": ">= 2.2.0, < 2.11.14"}, {"status": "affected", "version": ">= 2.12.0, < 2.12.5"}]}], "references": [{"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6", "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-03.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-03.txt", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:36:36.370Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27889", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:06:31.897Z", "dateReserved": "2026-02-24T15:19:29.716Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T19:36:36.370Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack."}], "id": "CVE-2026-27889", "lastModified": "2026-03-25T20:16:27.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:27.210", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-03.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:50:24.446807+00:00", "value": {"mitigation_remediation": ["Upgrade nats-server to version 2.11.14 or later, or 2.12.5 onward.", "Apply the official workaround if an upgrade is not immediately possible.", "Restrict the WebSocket port to trusted networks or disable WebSocket support if it is not required."], "summary": {"action": "Patch Immediately", "impact": "Remote Server Crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects nats-io nats-server, specifically versions from 2.2.0 up to but excluding 2.11.14 and 2.12.5. Deployments that enable WebSocket support and expose the port to untrusted networks are at risk. The patch is incorporated in 2.11.14 and 2.12.5, and later releases are safe.", "description_and_impact": "A missing sanity check in the WebSocket frame parsing routine of nats-server allows a signed integer overflow (CWE-190) when handling frames with an excessively large length. Because the error occurs before authentication, an attacker can craft a malicious frame that triggers a server panic, causing the messaging service to crash and leading to a denial\u2011of\u2011service for all clients.", "risk_and_exploitability": "The CVSS score of 7.5 classifies this as a high\u2011severity issue. Attackers need only reach the WebSocket port; no authentication is required. Although no EPSS data is available and the vulnerability is not listed in the KEV catalog, the simple exploitation path and the lack of defensive controls make it likely to be exploited where exposed."}}}}, "created": "2026-03-25T21:46:25.013358+00:00", "updated": "2026-03-25T21:46:25.013381+00:00", "vendors": []}