NATS Server Vulnerability in Connection Monitoring Requests by NATS.io
CVE-2026-58207
What is CVE-2026-58207?
NATS Server, the messaging system developed by NATS.io, is vulnerable to a condition that allows a malicious client to send account-scoped connection monitoring requests with improperly handled pagination values. Specifically, an attacker could exploit this vulnerability by supplying overly large Offset and Limit values that could lead to an overflow in the server's internal arithmetic. This could allow the client to inadvertently crash the server, disrupting service and potentially leading to a denial of service. The issue has been resolved in versions 2.14.3 and 2.12.12, and users are advised to upgrade to these versions to ensure system stability and security.
Affected Version(s)
nats-server < 2.12.12 < 2.12.12
nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3
