CVE-2026-58251 in nats-server
Summary
by MITRE • 07/08/2026
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability described affects NATS Server versions prior to 2.14.0, 2.12.7, and 2.11.16, representing a significant authorization bypass flaw that undermines the security model of the NATS.io messaging system. This issue specifically targets the server's permission evaluation logic where authenticated users with subscription deny permissions could exploit a logical inconsistency in how subject and queue-based access controls are processed. The vulnerability stems from the improper handling of queue subscriptions within the authorization framework, creating a scenario where queue-specific deny evaluations could override plain subject deny rules even when the queue name itself was not explicitly denied.
The technical flaw manifests when an authenticated user possesses subscription deny permissions for certain subjects but attempts to subscribe using queue groups. In the vulnerable implementations, the system evaluates both plain subject deny rules and queue-specific deny rules separately, with the queue evaluation taking precedence in cases where the queue name itself is not denied. This creates a path where users can effectively bypass intended access restrictions by leveraging queue subscriptions, as the authorization logic fails to properly consider that a user who lacks permission for a specific subject should not be able to access it even when using queue-based subscriptions. The issue falls under CWE-284 Access Control Bypass, specifically related to improper authorization checking in message broker systems.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data exposure and system compromise within environments relying on NATS Server for critical messaging infrastructure. An attacker with subscription deny permissions could potentially gain access to restricted subjects by simply switching from regular subscriptions to queue subscriptions, undermining the intended security boundaries of the messaging system. This flaw particularly affects organizations that rely heavily on fine-grained access control policies where different teams or applications require distinct levels of subject access. The vulnerability creates a persistent risk for systems where NATS Server is used as a backbone for microservices communication, event streaming, or IoT data processing, as it allows malicious actors to circumvent established security controls through legitimate subscription mechanisms.
Organizations using affected NATS Server versions should prioritize immediate remediation by upgrading to versions 2.14.0, 2.12.7, or 2.11.16, depending on their current deployment. The fix addresses the core authorization logic by ensuring that subject deny rules take precedence over queue-specific evaluations when both are present in the same access control context. System administrators should conduct thorough security audits to identify any users who might have been exploiting this vulnerability and review existing subscription permissions to ensure they align with intended security policies. Additionally, organizations should implement monitoring for unusual subscription patterns and queue usage that might indicate attempts to exploit this vulnerability, as the behavior would likely be detectable through proper log analysis and access control auditing.
This vulnerability demonstrates the complexity of implementing robust access controls in distributed messaging systems where multiple subscription mechanisms coexist and interact with authorization policies. The fix aligns with ATT&CK technique T1078 Valid Accounts by addressing a scenario where legitimate authenticated users could exploit permission inconsistencies to gain unauthorized access. Organizations should also consider implementing additional security measures such as network segmentation, enhanced logging, and regular access control reviews to strengthen their overall security posture. The incident underscores the importance of comprehensive testing of authorization logic in messaging systems, particularly when dealing with queue-based subscription models that introduce additional complexity to access control evaluation processes.