User-Level Authentication Bypass in NATS Server by NATS.io
CVE-2026-58211
5.4MEDIUM
What is CVE-2026-58211?
The NATS Server, which serves as a high-performance messaging system for cloud and edge environments, has a vulnerability that allows unauthorized clients to bypass user-level connection restrictions. This occurs if a client registers as the configured no_auth_user using a parser path while the first client operation is not CONNECT. As a result, standard authentication checks such as allowed_connection_types and proxy_required are circumvented, potentially compromising the security of the server. This vulnerability has been addressed in NATS Server versions 2.14.3 and 2.12.12.
Affected Version(s)
nats-server < 2.12.12 < 2.12.12
nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3
