CVE-2026-58214 in nats-serverinfo

Summary

by MITRE • 07/08/2026

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The NATS Server represents a critical messaging infrastructure component within cloud and edge native environments, serving as the backbone for high-performance communication patterns that underpin modern distributed systems. This vulnerability specifically targets the MQTT protocol implementation within NATS Server versions prior to 2.14.3 and 2.12.12, creating a significant security gap that affects organizations relying on MQTT QoS2 functionality for reliable message delivery. The flaw exists at the authorization and access control layer where proper permission boundaries are bypassed, allowing authenticated clients to gain unauthorized access to internal system metadata.

The technical implementation of this vulnerability stems from insufficient validation of subscription permissions within the MQTT protocol handler. When an authenticated MQTT client attempts to subscribe to the internal $MQTT.deliver.pubrel subject family, the server fails to properly enforce configured subscribe permissions that should restrict access to these internal topics. This represents a classic authorization bypass vulnerability where the system's permission model is circumvented through improper subject validation, allowing unauthorized access to sensitive QoS2 protocol metadata. The affected subject pattern $MQTT.deliver.pubrel specifically relates to MQTT's Quality of Service level 2 protocol implementation, which manages message acknowledgment and delivery guarantees between publishers and subscribers.

The operational impact of this vulnerability extends beyond simple information disclosure, as it exposes critical metadata about MQTT sessions that could be leveraged by malicious actors to understand system behavior and potentially craft more sophisticated attacks. Attackers could exploit this weakness to gather intelligence about active MQTT sessions, including session identifiers, message flow patterns, and delivery state information that would normally remain protected within the system's internal communication channels. This exposure of internal protocol metadata creates opportunities for further exploitation including potential session hijacking or protocol manipulation attacks, particularly when combined with other vulnerabilities in the messaging infrastructure.

This vulnerability aligns with CWE-285 (Improper Authorization) and represents a specific implementation flaw in access control enforcement within the MQTT protocol handler. From an ATT&CK framework perspective, this issue maps to T1078 (Valid Accounts) and T1566 (Phishing) as unauthorized access can be achieved through legitimate authentication mechanisms, potentially leading to T1213 (Data from Information Repositories) and T1595 (Active Scanning) activities. Organizations using NATS Server with MQTT functionality must consider this vulnerability as part of their broader security posture assessment, particularly in environments where sensitive messaging data flows through the system.

The fix implemented in versions 2.14.3 and 2.12.12 addresses the core authorization bypass by strengthening permission validation for internal MQTT subjects. This update ensures that subscription attempts to $MQTT.deliver.pubrel and related internal topics properly respect configured access controls, preventing authenticated clients from accessing system metadata they should not be authorized to view. System administrators should prioritize upgrading to these fixed versions while also reviewing existing MQTT subscription permissions and access control policies to ensure comprehensive protection against similar issues. Organizations should conduct thorough security assessments of their messaging infrastructure to identify potential similar authorization bypass opportunities in other protocol implementations or internal communication channels.

The remediation process requires careful attention to compatibility considerations, as the fix may affect legitimate use cases that were previously relying on the improper behavior. Administrators should test subscription patterns and access control configurations thoroughly before deployment to ensure that legitimate MQTT QoS2 functionality continues to operate correctly while preventing unauthorized metadata access. This vulnerability serves as a reminder of the critical importance of proper access control implementation in messaging systems, particularly when dealing with internal protocol subjects that may contain sensitive operational information. Regular security assessments and prompt patch management are essential for maintaining the integrity of messaging infrastructure components that serve as foundational elements for distributed application architectures.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!