Description
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
Published: 2026-07-08
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NATS Server incorrectly routes requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT is not enabled. An unauthenticated client that can connect to the WebSocket listener can trigger uninitialized MQTT state, causing the server process to crash. This flaw is a classic case of using an uninitialized local variable (CWE‑248) and leads to a disruption of service for all clients.

Affected Systems

The vulnerable product is nats-io’s NATS Server. Versions prior to 2.14.3 and 2.12.12 are affected; installations of 2.14.3, 2.12.12, or later have the fix applied.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity vulnerability that can be exploited remotely. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, suggesting that current exploitation activity is unknown. The attack requires connectivity to the WebSocket listener and does not require authentication, making it accessible to anyone with network access to the server. A successful exploit would cause a server crash, resulting in a denial of service to all consumers of the messaging system.

Generated by OpenCVE AI on July 9, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NATS Server to version 2.14.3 or later (or at minimum to 2.12.12) to apply the vendor‑provided fix.
  • If an upgrade cannot be performed immediately, restrict WebSocket traffic to trusted networks or firewall rules so that only authorized hosts can reach the MQTT‑over‑WebSocket path.
  • As a temporary measure, disable the MQTT‑over‑WebSocket endpoint—or the entire WebSocket listener if it is not required—in the server configuration until a patched version is deployed.

Generated by OpenCVE AI on July 9, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
Title NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:17:39.187Z

Reserved: 2026-06-29T17:09:25.872Z

Link: CVE-2026-58208

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses