Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    74 vulnerabilities found for nats-server by linuxfoundation

    CVE-2026-58211 (GCVE-0-2026-58211)

    Vulnerability from nvd – Published: 2026-07-08 20:16 – Updated: 2026-07-09 14:27
    VLAI
    Title
    NATS Server: `no_auth_user` pre-CONNECT fast path bypasses user connection restrictions
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restrictions such as allowed_connection_types or proxy_required that normal authentication would apply. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:27:18.977045Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:27:25.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restrictions such as allowed_connection_types or proxy_required that normal authentication would apply. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:16:25.262Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-hmmp-q8cx-v964",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-hmmp-q8cx-v964"
            }
          ],
          "source": {
            "advisory": "GHSA-hmmp-q8cx-v964",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: `no_auth_user` pre-CONNECT fast path bypasses user connection restrictions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58211",
        "datePublished": "2026-07-08T20:16:25.262Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T14:27:25.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58208 (GCVE-0-2026-58208)

    Vulnerability from nvd – Published: 2026-07-08 20:17 – Updated: 2026-07-09 14:04
    VLAI
    Title
    NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: >= 2.14.0-RC.1, < 2.14.3
    Affected: < 2.12.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:04:07.392572Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:04:28.045Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:17:39.187Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p957-7v2w-g93g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p957-7v2w-g93g"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/837536b98b3a9280b993282155ff2bdd3ca38c30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/837536b98b3a9280b993282155ff2bdd3ca38c30"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-p957-7v2w-g93g",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58208",
        "datePublished": "2026-07-08T20:17:39.187Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T14:04:28.045Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58207 (GCVE-0-2026-58207)

    Vulnerability from nvd – Published: 2026-07-08 20:15 – Updated: 2026-07-09 14:41
    VLAI
    Title
    NATS Server: Remote crash via integer overflow in Connz pagination
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58207",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:21:06.599044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:41:02.162Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:15:31.082Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-q59r-vq66-pxc2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-q59r-vq66-pxc2"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/2ae047139e37a38cb01e259a67909e7a39fa38e9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/2ae047139e37a38cb01e259a67909e7a39fa38e9"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/894d9411927681d66ce349bf1afe49608dc0c1a3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/894d9411927681d66ce349bf1afe49608dc0c1a3"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-q59r-vq66-pxc2",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Remote crash via integer overflow in Connz pagination"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58207",
        "datePublished": "2026-07-08T20:15:31.082Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T14:41:02.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58254 (GCVE-0-2026-58254)

    Vulnerability from nvd – Published: 2026-07-08 19:56 – Updated: 2026-07-09 13:38
    VLAI
    Title
    NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.8
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:38:04.787145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:38:17.588Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:56:58.311Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p3j5-5hrq-p75h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p3j5-5hrq-p75h"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/cbe845932980b71563efac5cfa4cc751c88936cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/cbe845932980b71563efac5cfa4cc751c88936cd"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-p3j5-5hrq-p75h",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58254",
        "datePublished": "2026-07-08T19:56:58.311Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:38:17.588Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58253 (GCVE-0-2026-58253)

    Vulnerability from nvd – Published: 2026-07-08 19:43 – Updated: 2026-07-09 13:35
    VLAI
    Title
    NATS Server: Route API Auth Bypass
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.16
    Affected: >= 2.12.0-preview.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58253",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:35:15.515260Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:35:24.068Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:43:13.776Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-38x3-76xf-cq45",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-38x3-76xf-cq45"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/7b81dd455ea95960090a84858c7662827948d1b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/7b81dd455ea95960090a84858c7662827948d1b6"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/8b8e1ad4ceed32321e00d4fc6e76be05bc13bca6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/8b8e1ad4ceed32321e00d4fc6e76be05bc13bca6"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/b86147e81710a52b72a7f7275f91d69f723f5cb3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/b86147e81710a52b72a7f7275f91d69f723f5cb3"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0"
            }
          ],
          "source": {
            "advisory": "GHSA-38x3-76xf-cq45",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Route API Auth Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58253",
        "datePublished": "2026-07-08T19:43:13.776Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:35:24.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58252 (GCVE-0-2026-58252)

    Vulnerability from nvd – Published: 2026-07-08 19:46 – Updated: 2026-07-09 13:34
    VLAI
    Title
    NATS Server: Subscribe Authz Bypass via Wildcard-Overlap
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.16
    Affected: >= 2.12.0-preview.1, < 2.12.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58252",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:34:18.644909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:34:28.023Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:46:54.572Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-wh7g-5m82-pmhr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-wh7g-5m82-pmhr"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/8ced85a11497f86704a95d960281480ce037386b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/8ced85a11497f86704a95d960281480ce037386b"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/a42a6d1e258eb5c3a2190384d31965a4b715e854",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/a42a6d1e258eb5c3a2190384d31965a4b715e854"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/e611ca9604697b02d8f22beb76037400a9cf72e6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/e611ca9604697b02d8f22beb76037400a9cf72e6"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0"
            }
          ],
          "source": {
            "advisory": "GHSA-wh7g-5m82-pmhr",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Subscribe Authz Bypass via Wildcard-Overlap"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58252",
        "datePublished": "2026-07-08T19:46:10.380Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:34:28.023Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58251 (GCVE-0-2026-58251)

    Vulnerability from nvd – Published: 2026-07-08 19:40 – Updated: 2026-07-09 13:40
    VLAI
    Title
    NATS Server: Queue Subscribe Authz Bypass
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.16
    Affected: >= 2.12.0-RC.1, < 2.12.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58251",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:40:09.306056Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:40:28.073Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:40:28.308Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jx8g-9g95-6322",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jx8g-9g95-6322"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/013586288078def45a6788096924eb4d150db65c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/013586288078def45a6788096924eb4d150db65c"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/79c2f6e9ff87f594596337b6427dda85c38d1fe1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/79c2f6e9ff87f594596337b6427dda85c38d1fe1"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/b9ffb63b85e7db3d25a13b2e234f5f7f7c13164d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/b9ffb63b85e7db3d25a13b2e234f5f7f7c13164d"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0"
            }
          ],
          "source": {
            "advisory": "GHSA-jx8g-9g95-6322",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Queue Subscribe Authz Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58251",
        "datePublished": "2026-07-08T19:40:28.308Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:40:28.073Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58250 (GCVE-0-2026-58250)

    Vulnerability from nvd – Published: 2026-07-08 19:48 – Updated: 2026-07-09 13:33
    VLAI
    Title
    NATS Server: Pre-auth server crash via double INFO in leafnode handshake
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.17
    Affected: >= 2.12.0-preview.1, < 2.12.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58250",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:33:35.375405Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:33:45.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:48:55.058Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.17"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8"
            }
          ],
          "source": {
            "advisory": "GHSA-3g5q-cfh2-cq67",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Pre-auth server crash via double INFO in leafnode handshake"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58250",
        "datePublished": "2026-07-08T19:48:55.058Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:33:45.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58214 (GCVE-0-2026-58214)

    Vulnerability from nvd – Published: 2026-07-08 20:06 – Updated: 2026-07-09 13:32
    VLAI
    Title
    NATS Server: MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58214",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:32:18.907165Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:32:36.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:06:34.794Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-4g68-3pwx-5vfj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-4g68-3pwx-5vfj"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/297b166be60fe13144084eed4b25201ead03204a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/297b166be60fe13144084eed4b25201ead03204a"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/34b09657bb596d5f850eaa5cfc97ea6b2f989a97",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/34b09657bb596d5f850eaa5cfc97ea6b2f989a97"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-4g68-3pwx-5vfj",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58214",
        "datePublished": "2026-07-08T20:06:34.794Z",
        "dateReserved": "2026-06-29T17:09:25.873Z",
        "dateUpdated": "2026-07-09T13:32:36.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58213 (GCVE-0-2026-58213)

    Vulnerability from nvd – Published: 2026-07-08 19:52 – Updated: 2026-07-09 13:33
    VLAI
    Title
    NATS Server: MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.9
    Affected: >= 2.14.0-RC.1, < 2.14.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:32:57.416842Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:33:07.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:52:12.148Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-qrcv-3558-gj4f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-qrcv-3558-gj4f"
            },
            {
              "name": "https://github.com/nats-io/nats-server/pull/8163",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/pull/8163"
            },
            {
              "name": "https://github.com/nats-io/nats-server/pull/8164",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/pull/8164"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/366837cfc65ab9ccb4f98193c65e8daf238582d8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/366837cfc65ab9ccb4f98193c65e8daf238582d8"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/64ebae40051ee497c481e10f316238faf0de1736",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/64ebae40051ee497c481e10f316238faf0de1736"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/f14856b9e57a36818f43851cb69b6e33670885c9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/f14856b9e57a36818f43851cb69b6e33670885c9"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.9"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.1"
            }
          ],
          "source": {
            "advisory": "GHSA-qrcv-3558-gj4f",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58213",
        "datePublished": "2026-07-08T19:52:12.148Z",
        "dateReserved": "2026-06-29T17:09:25.873Z",
        "dateUpdated": "2026-07-09T13:33:07.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58210 (GCVE-0-2026-58210)

    Vulnerability from nvd – Published: 2026-07-08 20:13 – Updated: 2026-07-09 13:29
    VLAI
    Title
    NATS Server: MQTT partial CONNECT packets can exhaust pre-auth memory
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the parser waited for the advertised MQTT packet length. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:29:25.711675Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:29:36.341Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the parser waited for the advertised MQTT packet length. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:13:37.082Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-r72h-j7qq-v6qg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-r72h-j7qq-v6qg"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/bce9ef39469e610aeddb819194ceb7f7edfc0861",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/bce9ef39469e610aeddb819194ceb7f7edfc0861"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/e016e47bbf70304945f2ae9dc397e4862adefaf5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/e016e47bbf70304945f2ae9dc397e4862adefaf5"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-r72h-j7qq-v6qg",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT partial CONNECT packets can exhaust pre-auth memory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58210",
        "datePublished": "2026-07-08T20:13:37.082Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T13:29:36.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58209 (GCVE-0-2026-58209)

    Vulnerability from nvd – Published: 2026-07-08 20:12 – Updated: 2026-07-09 13:31
    VLAI
    Title
    NATS Server: MQTT retained and QoS replay bypass subscribe deny filters
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:30:43.243356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:31:07.445Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:12:11.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-7qmq-8cc4-hxwg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-7qmq-8cc4-hxwg"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/181b1f51f40b9954c57e9d478e051fb257679356",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/181b1f51f40b9954c57e9d478e051fb257679356"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f6334896cd87",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f6334896cd87"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-7qmq-8cc4-hxwg",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT retained and QoS replay bypass subscribe deny filters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58209",
        "datePublished": "2026-07-08T20:12:11.240Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T13:31:07.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33249 (GCVE-0-2026-33249)

    Vulnerability from nvd – Published: 2026-03-25 20:21 – Updated: 2026-03-26 19:52
    VLAI
    Title
    NATS: Message tracing can be redirected to arbitrary subject
    Summary
    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: >= 2.11.0, < 2.11.15
    Affected: >= 2.12.0-preview.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33249",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T19:36:51.837783Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T19:52:12.206Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.11.0, \u003c 2.11.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T20:21:30.156Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"
            },
            {
              "name": "https://advisories.nats.io/CVE/secnote-2026-15.txt",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"
            }
          ],
          "source": {
            "advisory": "GHSA-8m2x-3m6q-6w8j",
            "discovery": "UNKNOWN"
          },
          "title": "NATS: Message tracing can be redirected to arbitrary subject"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33249",
        "datePublished": "2026-03-25T20:21:30.156Z",
        "dateReserved": "2026-03-18T02:42:27.509Z",
        "dateUpdated": "2026-03-26T19:52:12.206Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33248 (GCVE-0-2026-33248)

    Vulnerability from nvd – Published: 2026-03-25 20:18 – Updated: 2026-03-26 19:52
    VLAI
    Title
    NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
    Summary
    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.15
    Affected: >= 2.12.0-RC.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33248",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T19:35:03.328665Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T19:52:12.357Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate\u0027s Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295: Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T20:18:28.923Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"
            },
            {
              "name": "https://advisories.nats.io/CVE/secnote-2026-13.txt",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"
            }
          ],
          "source": {
            "advisory": "GHSA-3f24-pcvm-5jqc",
            "discovery": "UNKNOWN"
          },
          "title": "NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33248",
        "datePublished": "2026-03-25T20:18:28.923Z",
        "dateReserved": "2026-03-18T02:42:27.509Z",
        "dateUpdated": "2026-03-26T19:52:12.357Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33223 (GCVE-0-2026-33223)

    Vulnerability from nvd – Published: 2026-03-25 20:20 – Updated: 2026-03-26 17:51
    VLAI
    Title
    NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
    Summary
    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.15
    Affected: >= 2.12.0-RC.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T17:51:14.602692Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T17:51:23.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T20:20:00.158Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h"
            },
            {
              "name": "https://advisories.nats.io/CVE/secnote-2026-09.txt",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://advisories.nats.io/CVE/secnote-2026-09.txt"
            }
          ],
          "source": {
            "advisory": "GHSA-pwx7-fx9r-hr4h",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33223",
        "datePublished": "2026-03-25T20:20:00.158Z",
        "dateReserved": "2026-03-17T23:23:58.315Z",
        "dateUpdated": "2026-03-26T17:51:23.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33222 (GCVE-0-2026-33222)

    Vulnerability from nvd – Published: 2026-03-25 20:10 – Updated: 2026-03-26 15:26
    VLAI
    Title
    NATS JetStream has an authorization bypass through its Management API
    Summary
    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.15
    Affected: >= 2.12.0-RC.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T15:26:05.405419Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T15:26:11.351Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T20:10:51.107Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"
            },
            {
              "name": "https://advisories.nats.io/CVE/secnote-2026-12.txt",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://advisories.nats.io/CVE/secnote-2026-12.txt"
            }
          ],
          "source": {
            "advisory": "GHSA-9983-vrx2-fg9c",
            "discovery": "UNKNOWN"
          },
          "title": "NATS JetStream has an authorization bypass through its Management API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33222",
        "datePublished": "2026-03-25T20:10:51.107Z",
        "dateReserved": "2026-03-17T23:23:58.315Z",
        "dateUpdated": "2026-03-26T15:26:11.351Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58208 (GCVE-0-2026-58208)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:17 – Updated: 2026-07-09 14:04
    VLAI
    Title
    NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: >= 2.14.0-RC.1, < 2.14.3
    Affected: < 2.12.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:04:07.392572Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:04:28.045Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:17:39.187Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p957-7v2w-g93g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p957-7v2w-g93g"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/837536b98b3a9280b993282155ff2bdd3ca38c30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/837536b98b3a9280b993282155ff2bdd3ca38c30"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-p957-7v2w-g93g",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58208",
        "datePublished": "2026-07-08T20:17:39.187Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T14:04:28.045Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58211 (GCVE-0-2026-58211)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:16 – Updated: 2026-07-09 14:27
    VLAI
    Title
    NATS Server: `no_auth_user` pre-CONNECT fast path bypasses user connection restrictions
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restrictions such as allowed_connection_types or proxy_required that normal authentication would apply. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:27:18.977045Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:27:25.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restrictions such as allowed_connection_types or proxy_required that normal authentication would apply. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:16:25.262Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-hmmp-q8cx-v964",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-hmmp-q8cx-v964"
            }
          ],
          "source": {
            "advisory": "GHSA-hmmp-q8cx-v964",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: `no_auth_user` pre-CONNECT fast path bypasses user connection restrictions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58211",
        "datePublished": "2026-07-08T20:16:25.262Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T14:27:25.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58207 (GCVE-0-2026-58207)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:15 – Updated: 2026-07-09 14:41
    VLAI
    Title
    NATS Server: Remote crash via integer overflow in Connz pagination
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58207",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:21:06.599044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:41:02.162Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:15:31.082Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-q59r-vq66-pxc2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-q59r-vq66-pxc2"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/2ae047139e37a38cb01e259a67909e7a39fa38e9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/2ae047139e37a38cb01e259a67909e7a39fa38e9"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/894d9411927681d66ce349bf1afe49608dc0c1a3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/894d9411927681d66ce349bf1afe49608dc0c1a3"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-q59r-vq66-pxc2",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Remote crash via integer overflow in Connz pagination"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58207",
        "datePublished": "2026-07-08T20:15:31.082Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T14:41:02.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58210 (GCVE-0-2026-58210)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:13 – Updated: 2026-07-09 13:29
    VLAI
    Title
    NATS Server: MQTT partial CONNECT packets can exhaust pre-auth memory
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the parser waited for the advertised MQTT packet length. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:29:25.711675Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:29:36.341Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the parser waited for the advertised MQTT packet length. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:13:37.082Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-r72h-j7qq-v6qg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-r72h-j7qq-v6qg"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/bce9ef39469e610aeddb819194ceb7f7edfc0861",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/bce9ef39469e610aeddb819194ceb7f7edfc0861"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/e016e47bbf70304945f2ae9dc397e4862adefaf5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/e016e47bbf70304945f2ae9dc397e4862adefaf5"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-r72h-j7qq-v6qg",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT partial CONNECT packets can exhaust pre-auth memory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58210",
        "datePublished": "2026-07-08T20:13:37.082Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T13:29:36.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58209 (GCVE-0-2026-58209)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:12 – Updated: 2026-07-09 13:31
    VLAI
    Title
    NATS Server: MQTT retained and QoS replay bypass subscribe deny filters
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:30:43.243356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:31:07.445Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:12:11.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-7qmq-8cc4-hxwg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-7qmq-8cc4-hxwg"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/181b1f51f40b9954c57e9d478e051fb257679356",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/181b1f51f40b9954c57e9d478e051fb257679356"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f6334896cd87",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f6334896cd87"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-7qmq-8cc4-hxwg",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT retained and QoS replay bypass subscribe deny filters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58209",
        "datePublished": "2026-07-08T20:12:11.240Z",
        "dateReserved": "2026-06-29T17:09:25.872Z",
        "dateUpdated": "2026-07-09T13:31:07.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58214 (GCVE-0-2026-58214)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:06 – Updated: 2026-07-09 13:32
    VLAI
    Title
    NATS Server: MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.12
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58214",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:32:18.907165Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:32:36.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:06:34.794Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-4g68-3pwx-5vfj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-4g68-3pwx-5vfj"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/297b166be60fe13144084eed4b25201ead03204a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/297b166be60fe13144084eed4b25201ead03204a"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/34b09657bb596d5f850eaa5cfc97ea6b2f989a97",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/34b09657bb596d5f850eaa5cfc97ea6b2f989a97"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-4g68-3pwx-5vfj",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58214",
        "datePublished": "2026-07-08T20:06:34.794Z",
        "dateReserved": "2026-06-29T17:09:25.873Z",
        "dateUpdated": "2026-07-09T13:32:36.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58254 (GCVE-0-2026-58254)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:56 – Updated: 2026-07-09 13:38
    VLAI
    Title
    NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.8
    Affected: >= 2.14.0-RC.1, < 2.14.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:38:04.787145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:38:17.588Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:56:58.311Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p3j5-5hrq-p75h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-p3j5-5hrq-p75h"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/cbe845932980b71563efac5cfa4cc751c88936cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/cbe845932980b71563efac5cfa4cc751c88936cd"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
            }
          ],
          "source": {
            "advisory": "GHSA-p3j5-5hrq-p75h",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58254",
        "datePublished": "2026-07-08T19:56:58.311Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:38:17.588Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58213 (GCVE-0-2026-58213)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:52 – Updated: 2026-07-09 13:33
    VLAI
    Title
    NATS Server: MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.12.9
    Affected: >= 2.14.0-RC.1, < 2.14.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:32:57.416842Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:33:07.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.14.0-RC.1, \u003c 2.14.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:52:12.148Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-qrcv-3558-gj4f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-qrcv-3558-gj4f"
            },
            {
              "name": "https://github.com/nats-io/nats-server/pull/8163",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/pull/8163"
            },
            {
              "name": "https://github.com/nats-io/nats-server/pull/8164",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/pull/8164"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/366837cfc65ab9ccb4f98193c65e8daf238582d8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/366837cfc65ab9ccb4f98193c65e8daf238582d8"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/64ebae40051ee497c481e10f316238faf0de1736",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/64ebae40051ee497c481e10f316238faf0de1736"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/f14856b9e57a36818f43851cb69b6e33670885c9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/f14856b9e57a36818f43851cb69b6e33670885c9"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.9"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.1"
            }
          ],
          "source": {
            "advisory": "GHSA-qrcv-3558-gj4f",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58213",
        "datePublished": "2026-07-08T19:52:12.148Z",
        "dateReserved": "2026-06-29T17:09:25.873Z",
        "dateUpdated": "2026-07-09T13:33:07.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58250 (GCVE-0-2026-58250)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:48 – Updated: 2026-07-09 13:33
    VLAI
    Title
    NATS Server: Pre-auth server crash via double INFO in leafnode handshake
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.17
    Affected: >= 2.12.0-preview.1, < 2.12.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58250",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:33:35.375405Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:33:45.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:48:55.058Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.17",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.17"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.8"
            }
          ],
          "source": {
            "advisory": "GHSA-3g5q-cfh2-cq67",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Pre-auth server crash via double INFO in leafnode handshake"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58250",
        "datePublished": "2026-07-08T19:48:55.058Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:33:45.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58252 (GCVE-0-2026-58252)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:46 – Updated: 2026-07-09 13:34
    VLAI
    Title
    NATS Server: Subscribe Authz Bypass via Wildcard-Overlap
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.16
    Affected: >= 2.12.0-preview.1, < 2.12.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58252",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:34:18.644909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:34:28.023Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:46:54.572Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-wh7g-5m82-pmhr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-wh7g-5m82-pmhr"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/8ced85a11497f86704a95d960281480ce037386b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/8ced85a11497f86704a95d960281480ce037386b"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/a42a6d1e258eb5c3a2190384d31965a4b715e854",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/a42a6d1e258eb5c3a2190384d31965a4b715e854"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/e611ca9604697b02d8f22beb76037400a9cf72e6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/e611ca9604697b02d8f22beb76037400a9cf72e6"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0"
            }
          ],
          "source": {
            "advisory": "GHSA-wh7g-5m82-pmhr",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Subscribe Authz Bypass via Wildcard-Overlap"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58252",
        "datePublished": "2026-07-08T19:46:10.380Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:34:28.023Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58253 (GCVE-0-2026-58253)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:43 – Updated: 2026-07-09 13:35
    VLAI
    Title
    NATS Server: Route API Auth Bypass
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.16
    Affected: >= 2.12.0-preview.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58253",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:35:15.515260Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:35:24.068Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:43:13.776Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-38x3-76xf-cq45",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-38x3-76xf-cq45"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/7b81dd455ea95960090a84858c7662827948d1b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/7b81dd455ea95960090a84858c7662827948d1b6"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/8b8e1ad4ceed32321e00d4fc6e76be05bc13bca6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/8b8e1ad4ceed32321e00d4fc6e76be05bc13bca6"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/b86147e81710a52b72a7f7275f91d69f723f5cb3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/b86147e81710a52b72a7f7275f91d69f723f5cb3"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0"
            }
          ],
          "source": {
            "advisory": "GHSA-38x3-76xf-cq45",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Route API Auth Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58253",
        "datePublished": "2026-07-08T19:43:13.776Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:35:24.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58251 (GCVE-0-2026-58251)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:40 – Updated: 2026-07-09 13:40
    VLAI
    Title
    NATS Server: Queue Subscribe Authz Bypass
    Summary
    NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.16
    Affected: >= 2.12.0-RC.1, < 2.12.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58251",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:40:09.306056Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:40:28.073Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:40:28.308Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jx8g-9g95-6322",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jx8g-9g95-6322"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/013586288078def45a6788096924eb4d150db65c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/013586288078def45a6788096924eb4d150db65c"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/79c2f6e9ff87f594596337b6427dda85c38d1fe1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/79c2f6e9ff87f594596337b6427dda85c38d1fe1"
            },
            {
              "name": "https://github.com/nats-io/nats-server/commit/b9ffb63b85e7db3d25a13b2e234f5f7f7c13164d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/commit/b9ffb63b85e7db3d25a13b2e234f5f7f7c13164d"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.16"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.7"
            },
            {
              "name": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.0"
            }
          ],
          "source": {
            "advisory": "GHSA-jx8g-9g95-6322",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Queue Subscribe Authz Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58251",
        "datePublished": "2026-07-08T19:40:28.308Z",
        "dateReserved": "2026-06-29T21:54:30.330Z",
        "dateUpdated": "2026-07-09T13:40:28.073Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33249 (GCVE-0-2026-33249)

    Vulnerability from cvelistv5 – Published: 2026-03-25 20:21 – Updated: 2026-03-26 19:52
    VLAI
    Title
    NATS: Message tracing can be redirected to arbitrary subject
    Summary
    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: >= 2.11.0, < 2.11.15
    Affected: >= 2.12.0-preview.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33249",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T19:36:51.837783Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T19:52:12.206Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.11.0, \u003c 2.11.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-preview.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T20:21:30.156Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"
            },
            {
              "name": "https://advisories.nats.io/CVE/secnote-2026-15.txt",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"
            }
          ],
          "source": {
            "advisory": "GHSA-8m2x-3m6q-6w8j",
            "discovery": "UNKNOWN"
          },
          "title": "NATS: Message tracing can be redirected to arbitrary subject"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33249",
        "datePublished": "2026-03-25T20:21:30.156Z",
        "dateReserved": "2026-03-18T02:42:27.509Z",
        "dateUpdated": "2026-03-26T19:52:12.206Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33223 (GCVE-0-2026-33223)

    Vulnerability from cvelistv5 – Published: 2026-03-25 20:20 – Updated: 2026-03-26 17:51
    VLAI
    Title
    NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
    Summary
    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    nats-io nats-server Affected: < 2.11.15
    Affected: >= 2.12.0-RC.1, < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T17:51:14.602692Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T17:51:23.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nats-server",
              "vendor": "nats-io",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.11.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T20:20:00.158Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h"
            },
            {
              "name": "https://advisories.nats.io/CVE/secnote-2026-09.txt",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://advisories.nats.io/CVE/secnote-2026-09.txt"
            }
          ],
          "source": {
            "advisory": "GHSA-pwx7-fx9r-hr4h",
            "discovery": "UNKNOWN"
          },
          "title": "NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33223",
        "datePublished": "2026-03-25T20:20:00.158Z",
        "dateReserved": "2026-03-17T23:23:58.315Z",
        "dateUpdated": "2026-03-26T17:51:23.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }