WebSocket Listener Vulnerability in NATS Server by NATS.io
CVE-2026-58208

6.8MEDIUM

Key Information:

Vendor

Nats-io

Vendor
CVE Published:
8 July 2026

What is CVE-2026-58208?

The NATS Server, a high-performance messaging platform, has a vulnerability in its WebSocket listener that improperly routes requests for the MQTT-over-WebSocket path even when MQTT functionality is disabled. This flaw could allow an unauthenticated client to access uninitialized MQTT state and potentially crash the server process. The issue has been resolved in NATS Server versions 2.14.3 and 2.12.12, making it crucial for users to upgrade to these versions to ensure the security and stability of their systems.

Affected Version(s)

nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3

nats-server < 2.12.12 < 2.12.12

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.