pkg:Go/github.com/nats-io/nats-server/v2

50 total CVEsCRITICAL4HIGH22MEDIUM22

✅ Check your installed version

All known vulnerabilities

CRITICAL9.8CVE-2022-28357NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server
>= 2.2.0, < 2.7.4
CRITICAL9.8CVE-2020-26892Incorrect handling of credential expiry in github.com/nats-io/jwt
from 0, < 2.1.9
CRITICAL9.6CVE-2025-30215Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server
>= 2.11.0-RC.1, < 2.11.1
CRITICAL9.6CVE-2025-30215Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server
>= 2.2.0, < 2.10.27, >= 2.11.0, < 2.11.1
HIGH8.8CVE-2022-24450Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server
>= 2.0.0, < 2.7.2
HIGH8.8CVE-2022-24450Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server
>= 2.0.0, < 2.7.2
HIGH8.6CVE-2026-33216NATS has MQTT plaintext password disclosure
from 0, < 2.11.15
HIGH8.6CVE-2026-33216NATS has MQTT plaintext password disclosure
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
HIGH7.5CVE-2026-27889NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
>= 2.2.0, < 2.11.14, >= 2.12.0, < 2.12.5
HIGH7.5CVE-2026-27889NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
>= 2.2.0, < 2.11.14
HIGH7.5CVE-2026-33218NATS has pre-auth server panic via leafnode handling
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
HIGH7.5CVE-2026-33218NATS has pre-auth server panic via leafnode handling
from 0, < 2.11.15
HIGH7.5CVE-2026-29785NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server
from 0, < 2.11.14
HIGH7.5CVE-2026-29785NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server
from 0, < 2.11.14, >= 2.12.0-RC.1, < 2.12.5
HIGH7.5CVE-2023-46129xkeys seal encryption used fixed key for all encryption
>= 2.10.0, < 2.10.4
HIGH7.5CVE-2020-28466Denial of service in github.com/nats-io/nats-server/server
from 0, < 2.2.0
HIGH7.5CVE-2020-28466Denial of service in github.com/nats-io/nats-server/server
from 0, < 2.2.0
HIGH7.5CVE-2021-3127nats-io/jwt not enforcing checking of Import token permissions
from 0, < 2.2.0
HIGH7.5CVE-2021-3127nats-io/jwt not enforcing checking of Import token permissions
from 0, < 2.2.0
HIGH7.5CVE-2020-26521Panic in NATS JWT decoding in github.com/nats-io/jwt
from 0, < 2.1.9
HIGH7.5CVE-2019-13126Integer Overflow or Wraparound in NATS Server
from 0, < 2.2.0
HIGH7.5CVE-2019-13126Integer Overflow or Wraparound in NATS Server
from 0, < 2.2.0
HIGH7.4CVE-2026-33247NATS credentials are exposed in monitoring port via command-line argv
from 0, < 2.11.15
HIGH7.4CVE-2026-33247NATS credentials are exposed in monitoring port via command-line argv
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
HIGH7.1CVE-2026-33217NATS allows MQTT clients to bypass ACL checks
from 0, < 2.11.15
HIGH7.1CVE-2026-33217NATS allows MQTT clients to bypass ACL checks
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM6.5CVE-2026-33215NATS is vulnerable to MQTT hijacking via Client ID
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM6.5CVE-2026-33215NATS is vulnerable to MQTT hijacking via Client ID
from 0, < 2.11.15
MEDIUM6.5CVE-2022-29946NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server
from 0, < 2.8.2
MEDIUM6.5CVE-2022-29946NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server
from 0, < 2.8.2
MEDIUM6.5CVE-2023-47090Authorization bypass in github.com/nats-io/nats-server/v2
>= 2.2.0, < 2.9.23
MEDIUM6.5CVE-2023-47090Authorization bypass in github.com/nats-io/nats-server/v2
>= 2.2.0, < 2.9.23, >= 2.10.0, < 2.10.2
MEDIUM6.5CVE-2022-26652Arbitrary file write in nats-server
>= 2.2.0, < 2.7.4
MEDIUM6.5CVE-2022-26652Arbitrary file write in nats-server
>= 2.2.0, < 2.7.4
MEDIUM6.4CVE-2026-33246NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM6.4CVE-2026-33246NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers
from 0, < 2.11.15
MEDIUM6.4CVE-2026-33223NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM6.4CVE-2026-33223NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
from 0, < 2.11.15
MEDIUM5.9CVE-2026-27571nats-server websockets are vulnerable to pre-auth memory DoS
from 0, < 2.11.12
MEDIUM5.9CVE-2026-27571nats-server websockets are vulnerable to pre-auth memory DoS
from 0, < 2.11.12, >= 2.12.0-RC.1, < 2.12.3
MEDIUM5.3CVE-2026-33219NATS is vulnerable to pre-auth DoS through WebSockets client service
from 0, < 2.11.15
MEDIUM5.3CVE-2026-33219NATS is vulnerable to pre-auth DoS through WebSockets client service
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM4.9CVE-2026-33222NATS JetStream has an authorization bypass through its Management API
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM4.9CVE-2026-33222NATS JetStream has an authorization bypass through its Management API
from 0, < 2.11.15
MEDIUM4.3CVE-2026-33249NATS: Message tracing can be redirected to arbitrary subject
>= 2.11.0, < 2.11.15
MEDIUM4.3CVE-2026-33249NATS: Message tracing can be redirected to arbitrary subject
>= 2.11.0, < 2.11.15, >= 2.12.0-preview.1, < 2.12.6
MEDIUM4.2CVE-2026-33248NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
MEDIUM4.2CVE-2026-33248NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
from 0, < 2.11.15
—CVE-2021-32026NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server
from 0, < 2.2.3
—CVE-2021-32026NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server
from 0, < 2.2.3