Permission Bypass in NATS Server Affecting MQTT Clients
CVE-2026-58214

4.3MEDIUM

Key Information:

Vendor

Nats-io

Vendor
CVE Published:
8 July 2026

What is CVE-2026-58214?

An issue has been identified in NATS Server, a high-performance server designed for the NATS.io messaging system. Prior to versions 2.14.3 and 2.12.12, authenticated MQTT clients could exploit a flaw that allowed them to subscribe to the internal $MQTT.deliver.pubrel subject family. This unauthorized access bypassed the configured subscribe permissions, potentially exposing sensitive MQTT QoS2 protocol metadata for sessions within the user's account. This vulnerability has been addressed in the latest versions of NATS Server, reinforcing secure communication and data handling.

Affected Version(s)

nats-server < 2.12.12 < 2.12.12

nats-server >= 2.14.0-RC.1, < 2.14.3 < 2.14.0-RC.1, 2.14.3

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.