CVE-2026-58254 in nats-serverinfo

Summary

by MITRE • 07/08/2026

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in NATS Server affects the authorization and message routing mechanisms within the NATS.io messaging system, specifically targeting the inconsistency between client connection handling and leafnode connection processing. This weakness exists in versions prior to 2.14.3 and 2.12.8 where the server fails to apply the same trace destination validation checks to leafnode connections as it does to regular client connections. The root cause lies in the incomplete implementation of access control policies across different connection types within the NATS messaging infrastructure.

The technical flaw manifests when a leafnode operator leverages the trace functionality to send trace events to subjects that would normally be restricted or prohibited for regular message delivery. This creates a privilege escalation scenario where leafnode connections can bypass normal authorization controls that typically govern message routing and destination access. The vulnerability stems from an incomplete security model implementation where trace-only behavior is not consistently enforced across all connection pathways, allowing malicious actors to manipulate message flow patterns.

This issue has significant operational impact on NATS Server deployments as it enables unauthorized message routing and potential data exfiltration through trace mechanisms. Attackers can use this vulnerability to redirect messages to unintended destinations, disrupt normal message delivery patterns, or even prevent legitimate messages from being delivered or stored properly. The inconsistency in access control enforcement creates blind spots in the security model where leafnode connections operate with elevated privileges that should be restricted to regular client connections.

The fix implemented in versions 2.14.3 and 2.12.8 addresses this by ensuring consistent application of trace destination checks across all connection types including leafnode connections. This remediation aligns with the principle of least privilege and consistent security policy enforcement as outlined in cybersecurity frameworks such as the CWE taxonomy for access control issues. The solution requires comprehensive testing to ensure that all connection pathways maintain identical authorization behaviors, preventing similar inconsistencies in future implementations.

Organizations using NATS Server should prioritize upgrading to the patched versions to eliminate this vulnerability and restore proper message routing security controls. The remediation process should include thorough verification of trace destination configurations and access control policies across both regular client connections and leafnode connections. Security teams must also review existing monitoring systems to ensure they can detect anomalous trace behavior patterns that might indicate exploitation attempts. This vulnerability demonstrates the importance of consistent security policy enforcement across all network connection types within distributed messaging systems, particularly in cloud-native environments where leafnode connectivity is commonly used for edge computing scenarios. The fix reinforces proper separation of concerns and ensures that message routing security controls are applied uniformly regardless of connection type or network topology.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!