Description
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.
Published: 2026-07-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a leafnode operator to send trace events to subjects that the server normally denies, and to use trace‑only behavior to suppress normal message delivery or storage. This bypass of the Nats-Trace-Dest permission check can enable an attacker to manipulate message flow, hide data exchanges, or force messages to be discarded without detection. The flaw originates from an authorization oversight identified as CWE‑863, whereby leafnode connections are not subject to the same permission enforcement as ordinary client connections.

Affected Systems

The issue affects deployments of the NATS Server from nats‑io, versions prior to 2.12.8 and prior to 2.14.3. All releases before 2.12.8 and 2.14.3 are impacted; upgrading to either revision or a newer version removes the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is a malicious or compromised leafnode operator that has been granted connectivity to the server; the operator can inject trace events to unauthorized subjects or suppress normal traffic. Once such a connection is established, an attacker can perform the exploit without additional prerequisites; the weakness is local to the leafnode link, so remote exploitation requires the ability to become a leafnode.

Generated by OpenCVE AI on July 10, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NATS Server 2.12.8 or later, or 2.14.3 or newer, to apply the fix
  • If a patch cannot be applied immediately, disable leafnode connections or restrict them to trusted operators until the vulnerability is resolved
  • Audit and tighten trace destination permissions in the server configuration to ensure that only authorized subjects can emit trace events

Generated by OpenCVE AI on July 10, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 20:15:00 +0000

Type Values Removed Values Added
Description NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.
Title NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T13:38:17.588Z

Reserved: 2026-06-29T21:54:30.330Z

Link: CVE-2026-58254

cve-icon Vulnrichment

Updated: 2026-07-09T13:38:10.319Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T05:30:17Z

Weaknesses