CVE-2026-58211 in nats-server
Summary
by MITRE • 07/08/2026
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restrictions such as allowed_connection_types or proxy_required that normal authentication would apply. This issue is fixed in versions 2.14.3 and 2.12.12.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The NATS Server vulnerability represents a critical authorization bypass flaw that undermines the security controls designed to protect messaging infrastructure. This issue affects versions prior to 2.14.3 and 2.12.12 of the NATS.io messaging system, which is widely deployed for cloud-native and edge computing environments where secure message passing is essential. The vulnerability specifically targets the server's authentication mechanism, creating a pathway for unauthorized clients to assume the identity of the configured no_auth_user account without proper authentication.
The technical flaw occurs within the parser path that handles client communication sequences. When a client connects to the NATS Server but does not immediately send a CONNECT command, the server processes subsequent operations through a specific parsing logic path that fails to properly validate authentication status. This allows malicious or improperly configured clients to register themselves as the no_auth_user account, effectively bypassing normal authentication procedures and access controls. The vulnerability exploits the timing window between initial client connection and the first legitimate operation, where the server's authentication checks are not properly enforced.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it undermines fundamental security controls that administrators rely upon to restrict connections. Specifically, connection restrictions such as allowed_connection_types and proxy_required directives become ineffective when attackers can register as no_auth_user accounts. This creates a scenario where unauthorized clients can potentially bypass network topology constraints, connection type limitations, and proxy requirements that are typically enforced through proper authentication mechanisms. The vulnerability essentially provides a backdoor that allows attackers to establish connections with elevated privileges that should only be available to properly authenticated users.
From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents a significant weakness in the authentication flow management of the NATS Server implementation. The issue also maps to ATT&CK technique T1078 (Valid Accounts) as it allows adversaries to leverage legitimate accounts through improper access control enforcement. Organizations using NATS Server deployments face potential exposure to unauthorized message traffic, data interception, and service disruption if attackers exploit this vulnerability. The impact is particularly concerning in environments where NATS Server serves as a core messaging component for distributed applications, microservices communication, or edge computing pipelines.
The fix implemented in versions 2.14.3 and 2.12.12 addresses the root cause by ensuring that all client operations are properly validated against authentication requirements regardless of the order in which commands are received. This remediation enforces proper authorization checks throughout the entire client connection lifecycle, preventing the registration of unauthorized clients as no_auth_user accounts. Organizations should prioritize upgrading to these fixed versions and conduct security assessments to ensure no exploitation has occurred in their environments. Additionally, administrators should review their NATS Server configurations to verify that no_auth_user account permissions are appropriately restricted and that monitoring systems are in place to detect unusual connection patterns or unauthorized access attempts.