Permission Bypass in NATS Server Affecting MQTT Clients
CVE-2026-58214
4.3MEDIUM
What is CVE-2026-58214?
An issue has been identified in NATS Server, a high-performance server designed for the NATS.io messaging system. Prior to versions 2.14.3 and 2.12.12, authenticated MQTT clients could exploit a flaw that allowed them to subscribe to the internal $MQTT.deliver.pubrel subject family. This unauthorized access bypassed the configured subscribe permissions, potentially exposing sensitive MQTT QoS2 protocol metadata for sessions within the user's account. This vulnerability has been addressed in the latest versions of NATS Server, reinforcing secure communication and data handling.
Affected Version(s)
nats-server < 2.12.12 < 2.12.12
nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3
