Skip to main content

NATS Server CVE-2026-58213

| EUVDEUVD-2026-42383 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-07-06 vendor:ubuntu
7.1
CVSS 3.1 · Vendor: vendor:ubuntu
Share

Severity by source

Vendor (vendor:ubuntu) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Authenticated MQTT publish gives PR:L; dependence on MQTT plus leaf-node forwarding raises AC:H; injection crosses into the leaf node connection's subject space, so S:C with C:H, I:L.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (vendor:ubuntu).

CVSS VectorVendor: vendor:ubuntu

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch available
Jul 08, 2026 - 21:04 EUVD
Analysis Updated
Jul 08, 2026 - 20:32 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 08, 2026 - 20:32 vuln.today
Analysis Updated
Jul 08, 2026 - 20:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 20:22 NVD
7.1 (HIGH)
Analysis Generated
Jul 06, 2026 - 20:18 vuln.today

DescriptionCVE.org

[Unknown description]

AnalysisAI

Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to MQTT listener
Delivery
Publish topic with CR/LF control bytes
Exploit
Topic converted to NATS subject
Execution
Corrupted control line sent to leaf node
Persist
NATS parser misframes injected protocol
Impact
Disclose or misroute other clients' messages

Vulnerability AssessmentAI

Exploitation Requires an authenticated MQTT client session (PR:L) with permission to PUBLISH or to set a Will topic, and the server must have the MQTT interface enabled; the demonstrated wire-protocol corruption further requires the affected topic to be forwarded to another connection such as a leaf node, so a leaf node / federated deployment is the concrete condition that makes the injection impactful. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, base 7.1) marks this network-reachable, low-complexity, requiring low privileges (PR:L = an authenticated MQTT session) with high confidentiality impact and low integrity impact - consistent with subject injection that can expose or misroute messages. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds valid credentials for a NATS MQTT account connects and PUBLISHes to a topic containing carriage-return/line-feed and other control bytes; when the server converts that topic to a NATS subject and forwards it over a leaf node connection, the embedded characters break the wire-protocol framing, allowing the attacker to influence message routing or inject protocol elements that disclose messages destined for other connections. Attack complexity is low at the protocol layer but depends on MQTT and leaf node connectivity being configured; no public POC was provided in the source data.
Remediation Vendor-released patch: upgrade to nats-server v2.12.9 (2.12.x line) or v2.14.1 (2.14.x line), which add mqttValidatePublishTopic to reject framing control characters in MQTT publish and Will topics (see fix commits 366837c, 64ebae4, f14856b and pull requests https://github.com/nats-io/nats-server/pull/8163 and https://github.com/nats-io/nats-server/pull/8164, plus advisory https://github.com/nats-io/nats-server/security/advisories/GHSA-qrcv-3558-gj4f). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all NATS Server deployments, versions, and MQTT/leaf node configurations in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-3127 HIGH POC
7.5 Mar 16

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings ar

CVE-2020-26892 CRITICAL
9.8 Nov 06

The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are han

CVE-2020-28466 HIGH
7.5 Mar 07

This affects all versions of package github.com/nats-io/nats-server/server. Rated high severity (CVSS 7.5), this vulnera

CVE-2022-24450 HIGH
8.8 Feb 08

NATS nats-server before 2.7.2 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2026-58253 HIGH
8.8 Jul 06

Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network conne

CVE-2026-58250 HIGH
7.5 Jul 06

Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to

CVE-2026-58210 HIGH
7.5 Jul 06

Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server me

CVE-2019-13126 HIGH
7.5 Jul 29

An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted reques

CVE-2026-58208 HIGH
7.5 Jul 06

Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT d

CVE-2023-46129 HIGH
7.5 Oct 31

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise,

CVE-2020-26521 HIGH
7.5 Nov 06

The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). Rated high s

CVE-2022-26652 MEDIUM
6.5 Mar 10

NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStre

Share

CVE-2026-58213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy