Description
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Published: 2026-07-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an authenticated client to receive messages on subjects that should be denied. Overlap between a wildcard subscription and a deny rule that is not a subset of the rule permits delivery to restricted subjects, and queue subscriptions can similarly be affected, enabling delivery of messages to legitimate queue consumers that should not be exposed.

Affected Systems

This concerns the NATS Server product from nats-io. Versions prior to 2.14.0, 2.12.7, and 2.11.16 are vulnerable. Up‑to‑date releases include 2.14.0 and newer, 2.12.7 and newer, or 2.11.16 and newer, depending on the branch.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not listed, so the exploitation likelihood is unknown. The vulnerability is not in the KEV catalog. The likely attack vector involves an authenticated client creating a subscription that overlaps with a deny rule; this is inferred from the description. If an attacker can authenticate, they may bypass subject restrictions.

Generated by OpenCVE AI on July 9, 2026 at 09:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NATS Server version 2.14.0, 2.12.7, or 2.11.16 or newer, depending on your installed branch—this patch resolves the wildcard overlap authorization bypass.
  • After upgrading, re‑validate that wildcard deny rules are still effective by testing subscriptions to denied subjects.
  • If an upgrade cannot be performed immediately, adjust or remove wildcard deny rules that overlap with any allowed wildcard subscriptions to eliminate the conflict; this is a temporary measure only.

Generated by OpenCVE AI on July 9, 2026 at 09:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 20:15:00 +0000

Type Values Removed Values Added
Description NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Title NATS Server: Subscribe Authz Bypass via Wildcard-Overlap
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T13:34:28.023Z

Reserved: 2026-06-29T21:54:30.330Z

Link: CVE-2026-58252

cve-icon Vulnrichment

Updated: 2026-07-09T13:34:23.131Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T09:30:04Z

Weaknesses