MQTT Message Delivery Vulnerability in NATS Server by NATS.io
CVE-2026-58209

4.3MEDIUM

Key Information:

Vendor

Nats-io

Vendor
CVE Published:
8 July 2026

What is CVE-2026-58209?

A vulnerability in NATS Server's MQTT functionality allowed the delivery of retained messages that should have been denied based on subscriber configurations. Specifically, messages matching a subscriber's denied topics could still be sent due to a failure to check the original topic consistently before delivery in versions prior to 2.14.3 and 2.12.12. This flaw has been addressed in subsequent releases, ensuring that message delivery adheres to subscriber deny rules effectively.

Affected Version(s)

nats-server < 2.12.12 < 2.12.12

nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.