User-Level Authentication Bypass in NATS Server by NATS.io
CVE-2026-58211

5.4MEDIUM

Key Information:

Vendor

Nats-io

Vendor
CVE Published:
8 July 2026

What is CVE-2026-58211?

The NATS Server, which serves as a high-performance messaging system for cloud and edge environments, has a vulnerability that allows unauthorized clients to bypass user-level connection restrictions. This occurs if a client registers as the configured no_auth_user using a parser path while the first client operation is not CONNECT. As a result, standard authentication checks such as allowed_connection_types and proxy_required are circumvented, potentially compromising the security of the server. This vulnerability has been addressed in NATS Server versions 2.14.3 and 2.12.12.

Affected Version(s)

nats-server < 2.12.12 < 2.12.12

nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.