MQTT Message Delivery Vulnerability in NATS Server by NATS.io
CVE-2026-58209
4.3MEDIUM
What is CVE-2026-58209?
A vulnerability in NATS Server's MQTT functionality allowed the delivery of retained messages that should have been denied based on subscriber configurations. Specifically, messages matching a subscriber's denied topics could still be sent due to a failure to check the original topic consistently before delivery in versions prior to 2.14.3 and 2.12.12. This flaw has been addressed in subsequent releases, ensuring that message delivery adheres to subscriber deny rules effectively.
Affected Version(s)
nats-server < 2.12.12 < 2.12.12
nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3
