nats security

About this tag
The nats security tag covers vulnerabilities and hardening guidance for the NATS messaging system. Recent discussions focus on CVE-2026-33216, a high-severity credential exposure flaw that leaks MQTT passwords through monitoring endpoints in nats-server versions before 2.11.15 and 2.12.6. Another critical issue, CVE-2026-27571, involves a pre-authentication memory exhaustion attack via WebSocket compression bombs, patched in the same release lines. Topics include CWE-256 classification, official NATS security advisories, and practical mitigations for operators. The tag is relevant for administrators and developers securing NATS deployments against credential disclosure and denial-of-service risks.
  1. CVE-2026-33216: NATS MQTT Passwords Exposed via Monitoring Endpoints

    NATS users running MQTT workloads have a fresh security issue to track: CVE-2026-33216, a password-disclosure flaw that can expose MQTT credentials through monitoring endpoints. The vulnerability affects nats-server builds before 2.11.15 and 2.12.6, and it matters because the leak is not a...
  2. NATS CVE-2026-27571 WebSocket Compression Bomb Patch and Mitigations

    NATS server’s WebSocket handler contains a pre-authentication memory exhaustion vulnerability that can be triggered by a crafted compressed frame — a “compression bomb” — allowing an unauthenticated attacker to force excessive memory allocation and potentially crash the server; the issue is...
  3. CVE-2024-38126: Critical NAT Vulnerability Threatens Windows Security

    In light of the recent security disclosure, the Windows community must be informed about CVE-2024-38126, a security vulnerability affecting the Network Address Translation (NAT) component in Windows systems. This announcement, published by the Microsoft Security Response Center (MSRC)...