github.com/nats-io/nats-server/v2 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/nats-io/nats-server/v2, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (26)
CVE-2022-28357 — CVSS 9.8 (critical): NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management…
CVE-2020-26892 — CVSS 9.8 (critical): The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
CVE-2025-30215 — CVSS 9.6 (critical): NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior…
CVE-2022-24450 — CVSS 8.8 (high): NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by…
CVE-2026-33216 — CVSS 8.6 (high): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for…
CVE-2019-13126 — CVSS 7.5 (high): An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If…
CVE-2020-26521 — CVSS 7.5 (high): The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
CVE-2020-28466 — CVSS 7.5 (high): This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs…
CVE-2021-3127 — CVSS 7.5 (high): NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
CVE-2023-46129 — CVSS 7.5 (high): NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge…
CVE-2026-27889 — CVSS 7.5 (high): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to…
CVE-2026-29785 — CVSS 7.5 (high): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if…
CVE-2026-33218 — CVSS 7.5 (high): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a…
CVE-2026-33247 — CVSS 7.4 (high): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a…
CVE-2026-33217 — CVSS 7.1 (high): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when…
CVE-2023-47090 — CVSS 6.5 (medium): NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can…
CVE-2026-33215 — CVSS 6.5 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client…
CVE-2022-26652 — CVSS 6.5 (medium): NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams…
CVE-2026-33246 — CVSS 6.4 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a…
CVE-2026-33223 — CVSS 6.4 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the…
CVE-2022-29946 — CVSS 6.3 (medium): NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused…
CVE-2026-27571 — CVSS 5.9 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages…
CVE-2026-33219 — CVSS 5.3 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a…
CVE-2026-33222 — CVSS 4.9 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users…
CVE-2026-33249 — CVSS 4.3 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to…
CVE-2026-33248 — CVSS 4.2 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when…