CVE-2026-29785

moderate-risk

Published 2026-03-25

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.

Do I need to act?

0.09% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Nats-Server

Affected Vendors

Linuxfoundation

References (3)

Mitigation https://advisories.nats.io/CVE/secnote-2026-04.txt

Patch https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f1...

Mitigation https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal