CVE-2026-58208 in nats-serverinfo

Summary

by MITRE • 07/09/2026

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The NATS Server represents a critical component in modern messaging infrastructures, serving as the backbone for cloud and edge native communication patterns within the NATS.io ecosystem. This high-performance server facilitates message passing between distributed applications and systems, making it a prime target for exploitation in security attacks. The vulnerability affects versions prior to 2.14.3 and 2.12.12, where a fundamental design flaw exists in how the WebSocket listener handles incoming requests for specific paths. The issue manifests when clients connect through WebSocket endpoints that should not permit MQTT protocol handling, creating an unexpected code path that leads to system instability.

The technical flaw resides in the WebSocket listener's path routing logic which fails to properly validate whether MQTT functionality is enabled before processing requests intended for MQTT-over-WebSocket connections. When an unauthenticated client accesses a WebSocket endpoint and sends a request targeting the MQTT-over-WebSocket path, the server attempts to initialize MQTT handling components even when MQTT support has been explicitly disabled or not configured. This misconfiguration creates an uninitialized state where the server's MQTT subsystem attempts to process requests without proper initialization, leading to memory access violations and subsequent process crashes. The vulnerability essentially represents a classic improper input validation issue that allows privilege escalation through path traversal manipulation.

The operational impact of this vulnerability extends beyond simple service disruption, as it provides attackers with a reliable method to cause denial-of-service conditions against NATS Server instances. An unauthenticated attacker with network access to the WebSocket listener port can exploit this flaw to crash the server process repeatedly, potentially leading to extended downtime for applications depending on NATS messaging services. The vulnerability is particularly concerning because it affects the core server functionality and can be exploited without requiring authentication credentials or elevated privileges, making it accessible to any client capable of establishing a WebSocket connection. This creates significant risk for production environments where NATS Server instances serve as critical communication infrastructure.

Mitigation strategies should focus on immediate patching of affected versions to 2.14.3 or 2.12.12, which contain the necessary fixes for proper path validation and state management. Organizations should also implement network segmentation to restrict access to WebSocket listener endpoints, particularly where MQTT functionality is not required. Additional protective measures include implementing rate limiting on WebSocket connections, monitoring for unusual patterns in WebSocket traffic that might indicate exploitation attempts, and ensuring proper configuration management to prevent accidental enabling of unsupported protocols. From a security standards perspective, this vulnerability aligns with CWE-20 Improper Input Validation and could be categorized under ATT&CK technique T1499.004 Endpoint Denial of Service, representing a service disruption attack that leverages protocol handling flaws to cause system instability and availability loss.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!