WebSocket Listener Vulnerability in NATS Server by NATS.io
CVE-2026-58208
6.8MEDIUM
What is CVE-2026-58208?
The NATS Server, a high-performance messaging platform, has a vulnerability in its WebSocket listener that improperly routes requests for the MQTT-over-WebSocket path even when MQTT functionality is disabled. This flaw could allow an unauthenticated client to access uninitialized MQTT state and potentially crash the server process. The issue has been resolved in NATS Server versions 2.14.3 and 2.12.12, making it crucial for users to upgrade to these versions to ensure the security and stability of their systems.
Affected Version(s)
nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3
nats-server < 2.12.12 < 2.12.12
