Skip to main content

NATS Server CVE-2026-58210

| EUVDEUVD-2026-42348 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-06 vendor:ubuntu
7.5
CVSS 3.1 · Vendor: vendor:ubuntu
Share

Severity by source

Vendor (vendor:ubuntu) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Pre-authentication MQTT parser reachable over the network with a single crafted packet (AV:N/AC:L/PR:N/UI:N); impact is resource exhaustion, so A:H with C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vendor:ubuntu).

CVSS VectorVendor: vendor:ubuntu

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch available
Jul 08, 2026 - 21:04 EUVD
Source Code Evidence Fetched
Jul 08, 2026 - 20:33 vuln.today
Analysis Updated
Jul 08, 2026 - 20:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 20:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 20:22 NVD
7.5 (HIGH)
Analysis Generated
Jul 06, 2026 - 20:19 vuln.today

DescriptionCVE.org

[Unknown description]

AnalysisAI

Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server memory by sending an MQTT CONNECT packet that declares a large variable-length 'remaining length' before authentication completes. Because the pre-connection MQTT parser failed to enforce the configured max_payload limit, the server would buffer attacker-controlled data unbounded, degrading or crashing the broker (CVSS 7.5, availability-only impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed MQTT port
Delivery
Open TCP connection
Exploit
Send CONNECT with oversized remaining-length varint
Execution
Server buffers data past max_payload
Persist
Repeat across many connections
Impact
Exhaust memory / crash broker

Vulnerability AssessmentAI

Exploitation Exploitation requires the optional NATS MQTT listener to be enabled (an mqtt {} configuration block) and network-reachable by the attacker; core NATS deployments without MQTT are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine but bounded (availability-only) risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet- or LAN-exposed NATS MQTT port opens a TCP connection and sends an MQTT CONNECT packet whose 'remaining length' varint declares a very large size, then streams (or withholds) bytes so the unpatched server keeps buffering pre-connection data without applying max_payload. Repeating this across many connections exhausts memory and degrades or crashes the broker, denying service to legitimate messaging clients. …
Remediation Vendor-released patch: upgrade nats-server to v2.12.12 (https://github.com/nats-io/nats-server/releases/tag/v2.12.12) or v2.14.3 (https://github.com/nats-io/nats-server/releases/tag/v2.14.3), which enforce the max_payload limit during pre-connection MQTT parsing (fixing commits bce9ef39469e610aeddb819194ceb7f7edfc0861 and e016e47bbf70304945f2ae9dc397e4862adefaf5). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all NATS Server deployments in production and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-3127 HIGH POC
7.5 Mar 16

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings ar

CVE-2020-26892 CRITICAL
9.8 Nov 06

The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are han

CVE-2020-28466 HIGH
7.5 Mar 07

This affects all versions of package github.com/nats-io/nats-server/server. Rated high severity (CVSS 7.5), this vulnera

CVE-2022-24450 HIGH
8.8 Feb 08

NATS nats-server before 2.7.2 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2026-58253 HIGH
8.8 Jul 06

Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network conne

CVE-2026-58250 HIGH
7.5 Jul 06

Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to

CVE-2019-13126 HIGH
7.5 Jul 29

An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted reques

CVE-2026-58208 HIGH
7.5 Jul 06

Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT d

CVE-2023-46129 HIGH
7.5 Oct 31

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise,

CVE-2020-26521 HIGH
7.5 Nov 06

The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). Rated high s

CVE-2026-58213 HIGH
7.1 Jul 06

Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, n

CVE-2022-26652 MEDIUM
6.5 Mar 10

NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStre

Share

CVE-2026-58210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy