UBUNTU-CVE-2026-27889

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-27889
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27889.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-27889
Upstream
  • CVE-2026-27889
Published
2026-03-27T00:00:00Z
Modified
2026-03-27T17:19:37.055812Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.

References

Affected packages

Ubuntu:24.04:LTS / nats-server

Package

Name
nats-server
Purl
pkg:deb/ubuntu/nats-server@2.10.7-1ubuntu0.3?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.9.19-1build1
2.10.3-1
2.10.4-1
2.10.7-1
2.10.7-1ubuntu0.1
2.10.7-1ubuntu0.2
2.10.7-1ubuntu0.3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "golang-github-nats-io-nats-server-dev",
            "binary_version": "2.10.7-1ubuntu0.3"
        },
        {
            "binary_name": "nats-server",
            "binary_version": "2.10.7-1ubuntu0.3"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27889.json"

Ubuntu:25.10 / nats-server

Package

Name
nats-server
Purl
pkg:deb/ubuntu/nats-server@2.10.27-1?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.10.24-1
2.10.27-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "golang-github-nats-io-nats-server-dev",
            "binary_version": "2.10.27-1"
        },
        {
            "binary_name": "nats-server",
            "binary_version": "2.10.27-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27889.json"