CVE-2026-58213 in nats-serverinfo

Summary

by MITRE • 07/08/2026

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability described affects NATS Server versions prior to 2.14.1 and 2.12.9, representing a critical protocol injection flaw within the MQTT bridging functionality of the NATS.io messaging system. This issue arises from insufficient input validation when processing MQTT subscription filters that contain protocol control characters. The NATS server acts as a message broker for cloud and edge native messaging systems, facilitating communication between distributed applications through its robust routing capabilities.

The technical flaw stems from the improper handling of MQTT protocol control characters within subscription filter strings. When an MQTT client submits a subscription filter containing these control characters, the NATS server fails to sanitize or validate this input before forwarding it as part of the NATS protocol stream to route or leafnode connections. This lack of input sanitization creates a condition where maliciously crafted subscription filters can inject unintended protocol operations into the NATS communication stream. The vulnerability specifically targets the protocol stream integrity by allowing control characters that normally should be escaped or rejected during MQTT message processing to propagate through the system.

The operational impact of this vulnerability is significant as it enables an attacker with access to an MQTT client connection to potentially manipulate the NATS protocol stream being forwarded to other nodes in the network. This protocol injection capability could allow for unauthorized operations such as publishing messages to unintended subjects, subscribing to channels that should be restricted, or even executing commands against the NATS server itself through carefully crafted control character sequences. The corruption of forwarded protocol streams can lead to unpredictable behavior in connected systems, potentially causing service disruptions or enabling further exploitation of the network infrastructure.

This vulnerability aligns with CWE-170, which addresses improper handling of control characters in input validation, and represents a classic case of protocol smuggling where legitimate protocol elements are used to inject malicious operations. The issue also maps to ATT&CK technique T1071.004 for application layer protocol tunneling and T1566 for credential access through protocol manipulation. Organizations using NATS Server with MQTT bridging capabilities should immediately implement the patched versions 2.14.1 and 2.12.9, which introduce proper input validation and control character sanitization for MQTT subscription filters. Additional mitigations include implementing network segmentation around NATS server deployments, monitoring for anomalous protocol stream patterns, and restricting MQTT client access to only trusted entities within the messaging infrastructure.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!