CVE-2026-27889: CWE-190: Integer Overflow or Wraparound in nats-io nats-server
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
AI Analysis
Technical Summary
CVE-2026-27889 is an integer overflow (CWE-190) vulnerability in the nats-io nats-server, a high-performance messaging server used in cloud and edge native environments. The issue exists in the handling of WebSockets frames, where a missing sanity check allows crafted frames to trigger an integer overflow or wraparound condition. This causes the server to panic and crash, resulting in a denial of service (DoS). The vulnerability is exploitable without authentication and before any security checks, as it occurs during initial frame processing on the WebSockets port. This means any unauthenticated attacker who can reach the exposed WebSockets port can cause a server crash. The affected versions include all releases from 2.2.0 up to but excluding 2.11.14 and 2.12.5, where the vulnerability has been patched. The vulnerability does not affect deployments that do not use WebSockets or that restrict access to the WebSockets port to trusted endpoints. No known exploits have been reported in the wild, but the ease of triggering a server panic makes this a significant availability risk. The CVSS v3.1 score is 7.5 (High), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or integrity impact, but high availability impact.
Potential Impact
The primary impact of CVE-2026-27889 is a denial of service condition caused by server crashes triggered by unauthenticated attackers sending malicious WebSockets frames. Organizations using nats-server with WebSockets enabled and exposed to untrusted networks risk service outages, which can disrupt messaging infrastructure critical for cloud-native applications, microservices communication, and edge computing environments. This can lead to downtime, degraded service availability, and potential cascading failures in dependent systems. Since the vulnerability is exploitable without authentication or user interaction, it poses a significant risk to publicly accessible deployments. However, there is no direct impact on confidentiality or data integrity. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially for high-value or internet-facing deployments.
Mitigation Recommendations
To mitigate this vulnerability, organizations should upgrade nats-server to versions 2.11.14 or 2.12.5 or later, where the issue is fixed. If immediate upgrade is not feasible, restrict network access to the WebSockets port to trusted endpoints only, using firewalls, network segmentation, or VPNs. Consider disabling WebSockets support entirely if it is not required for your deployment. Implement defense-in-depth by monitoring WebSockets traffic for anomalous frames and rate limiting connections to reduce the risk of exploitation. Regularly audit and update nats-server deployments to ensure they are running supported, patched versions. Additionally, maintain incident response plans to quickly recover from potential denial of service events.
Affected Countries
United States, Germany, United Kingdom, Japan, South Korea, Canada, Australia, France, Netherlands, Singapore
CVE-2026-27889: CWE-190: Integer Overflow or Wraparound in nats-io nats-server
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27889 is an integer overflow (CWE-190) vulnerability in the nats-io nats-server, a high-performance messaging server used in cloud and edge native environments. The issue exists in the handling of WebSockets frames, where a missing sanity check allows crafted frames to trigger an integer overflow or wraparound condition. This causes the server to panic and crash, resulting in a denial of service (DoS). The vulnerability is exploitable without authentication and before any security checks, as it occurs during initial frame processing on the WebSockets port. This means any unauthenticated attacker who can reach the exposed WebSockets port can cause a server crash. The affected versions include all releases from 2.2.0 up to but excluding 2.11.14 and 2.12.5, where the vulnerability has been patched. The vulnerability does not affect deployments that do not use WebSockets or that restrict access to the WebSockets port to trusted endpoints. No known exploits have been reported in the wild, but the ease of triggering a server panic makes this a significant availability risk. The CVSS v3.1 score is 7.5 (High), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or integrity impact, but high availability impact.
Potential Impact
The primary impact of CVE-2026-27889 is a denial of service condition caused by server crashes triggered by unauthenticated attackers sending malicious WebSockets frames. Organizations using nats-server with WebSockets enabled and exposed to untrusted networks risk service outages, which can disrupt messaging infrastructure critical for cloud-native applications, microservices communication, and edge computing environments. This can lead to downtime, degraded service availability, and potential cascading failures in dependent systems. Since the vulnerability is exploitable without authentication or user interaction, it poses a significant risk to publicly accessible deployments. However, there is no direct impact on confidentiality or data integrity. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially for high-value or internet-facing deployments.
Mitigation Recommendations
To mitigate this vulnerability, organizations should upgrade nats-server to versions 2.11.14 or 2.12.5 or later, where the issue is fixed. If immediate upgrade is not feasible, restrict network access to the WebSockets port to trusted endpoints only, using firewalls, network segmentation, or VPNs. Consider disabling WebSockets support entirely if it is not required for your deployment. Implement defense-in-depth by monitoring WebSockets traffic for anomalous frames and rate limiting connections to reduce the risk of exploitation. Regularly audit and update nats-server deployments to ensure they are running supported, patched versions. Additionally, maintain incident response plans to quickly recover from potential denial of service events.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T15:19:29.716Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c43b99f4197a8e3b7c5650
Added to database: 3/25/2026, 7:46:33 PM
Last enriched: 3/25/2026, 8:00:58 PM
Last updated: 3/26/2026, 5:38:51 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.