Skip to main content

NATS Server CVE-2026-58208

| EUVDEUVD-2026-42391 HIGH
Uncaught Exception (CWE-248)
2026-07-06 vendor:ubuntu
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated request over an enabled WebSocket listener triggers a crash with no auth or interaction, so AV:N/AC:L/PR:N/UI:N; impact is availability-only (A:H), C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 09, 2026 - 19:38 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 09, 2026 - 19:38 vuln.today
Analysis Updated
Jul 09, 2026 - 19:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 19:22 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 19:22 NVD
MEDIUM HIGH
CVSS changed
Jul 09, 2026 - 19:22 NVD
6.8 (MEDIUM) 7.5 (HIGH)
Patch available
Jul 08, 2026 - 22:04 EUVD
CVSS changed
Jul 08, 2026 - 21:22 NVD
6.8 (MEDIUM)
Analysis Generated
Jul 06, 2026 - 20:20 vuln.today

DescriptionNVD

[Unknown description]

AnalysisAI

Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT disabled; per the GHSA-p957-7v2w-g93g advisory and the fixing commit, an unauthenticated attacker can send an MQTT-over-WebSocket upgrade request to the WebSocket endpoint while MQTT is turned off, triggering an uncaught exception (CWE-248) that crashes the server (CVSS 7.5, availability-only impact). This is a Linux Foundation CNCF messaging component fixed in nats-server 2.12.12 and 2.14.3. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach WebSocket listener port
Delivery
Send MQTT-over-WebSocket upgrade to /mqtt
Exploit
Server accepts MQTT kind with MQTT disabled
Execution
Trigger uncaught exception in upgrade path
Impact
Crash nats-server process (DoS)

Vulnerability AssessmentAI

Exploitation Requires the NATS WebSocket listener to be enabled AND the MQTT subsystem to be disabled (opts.MQTT.Port == 0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals converge on moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a NATS Server's WebSocket port on a deployment where MQTT is disabled opens a WebSocket handshake to the MQTT path and sends an MQTT-kind upgrade request. Because the server accepts the MQTT upgrade despite MQTT being unconfigured, it hits an uncaught exception and the nats-server process crashes, disrupting all messaging clients. …
Remediation Vendor-released patch: upgrade to nats-server 2.12.12 (for the 2.12.x line and earlier) or 2.14.3 (for the 2.14.x / 2.14.0-RC line), per GHSA-p957-7v2w-g93g and the release notes at https://github.com/nats-io/nats-server/releases/tag/v2.12.12 and https://github.com/nats-io/nats-server/releases/tag/v2.14.3; the fix is commit 73b3dd9a5ea0fa7bf08b702338676355b29b5fb4, which rejects MQTT-over-WebSocket upgrades when MQTT is not enabled. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all NATS Server instances with WebSocket enabled and document current versions (affected: pre-2.12.12 and pre-2.14.3). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-3127 HIGH POC
7.5 Mar 16

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings ar

CVE-2020-26892 CRITICAL
9.8 Nov 06

The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are han

CVE-2020-28466 HIGH
7.5 Mar 07

This affects all versions of package github.com/nats-io/nats-server/server. Rated high severity (CVSS 7.5), this vulnera

CVE-2022-24450 HIGH
8.8 Feb 08

NATS nats-server before 2.7.2 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2026-58253 HIGH
8.8 Jul 06

Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network conne

CVE-2026-58250 HIGH
7.5 Jul 06

Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to

CVE-2026-58210 HIGH
7.5 Jul 06

Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server me

CVE-2019-13126 HIGH
7.5 Jul 29

An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted reques

CVE-2023-46129 HIGH
7.5 Oct 31

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise,

CVE-2020-26521 HIGH
7.5 Nov 06

The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). Rated high s

CVE-2026-58213 HIGH
7.1 Jul 06

Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, n

CVE-2022-26652 MEDIUM
6.5 Mar 10

NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStre

Share

CVE-2026-58208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy