CVE-2026-58252 in nats-server
Summary
by MITRE • 07/08/2026
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The NATS Server vulnerability represents a significant authorization bypass flaw that affects the core messaging system's access control mechanisms. This issue stems from improper handling of wildcard subscription patterns within the server's permission model, where authenticated users could potentially access messages intended for denied subjects under specific overlapping conditions. The vulnerability impacts the fundamental security assumptions of the NATS.io messaging infrastructure, which relies on strict subject-based access controls to maintain message isolation between different clients and applications.
The technical flaw manifests when a wildcard subscription pattern overlaps with a configured wildcard deny rule but does not constitute a direct subset of that rule. This creates a logical inconsistency in the server's permission evaluation engine where the system fails to properly enforce access restrictions. The issue specifically affects scenarios where wildcard patterns create ambiguous boundaries between allowed and denied subject access, particularly when queue subscriptions are involved. Queue subscriptions introduce additional complexity as they can inadvertently influence message delivery to legitimate consumers while simultaneously allowing unauthorized access to restricted subjects.
The operational impact of this vulnerability extends beyond simple unauthorized message access, potentially enabling data leakage and information disclosure across different security domains within the messaging infrastructure. An authenticated attacker could exploit this flaw to intercept messages intended for other users or applications, undermining the confidentiality guarantees that NATS Server is designed to provide. The vulnerability affects multiple versions simultaneously, indicating a systemic issue in the server's permission handling logic rather than a isolated implementation error. The fact that queue subscriptions can influence delivery to legitimate consumers while still allowing unauthorized access creates a particularly dangerous scenario where normal operations might be disrupted while security is compromised.
This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checking in messaging systems. The issue demonstrates how complex pattern matching logic can introduce unexpected security gaps when permission rules are not properly evaluated against all possible subscription scenarios. From an ATT&CK perspective, this vulnerability maps to privilege escalation and credential access techniques where attackers leverage legitimate access to gain unauthorized information access. Organizations using NATS Server versions prior to 2.14.0, 2.12.7, and 2.11.16 should immediately implement mitigation strategies including upgrading to patched versions, implementing additional monitoring for unauthorized message access patterns, and reviewing existing subscription permissions to minimize potential impact.
The fix implemented in the patched versions addresses the core logical flaw in how wildcard patterns are evaluated against deny rules, ensuring that proper boundary conditions are maintained between allowed and denied subject access. The resolution likely involves strengthening the permission evaluation engine to properly handle overlapping wildcard patterns and their respective access control implications. Organizations should conduct thorough security assessments of their NATS Server deployments to identify any potential exploitation attempts and implement comprehensive logging to detect unauthorized access patterns that might indicate successful exploitation of this vulnerability.