CVE-2026-58213
Received Received - Intake

MQTT Protocol Injection in NATS Server

Vulnerability report for CVE-2026-58213, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
nats_io nats_server to 2.14.1|end_excluding=2.12.9 (exc)
nats server 2.14.1
nats server 2.12.9
nats server to 2.14.1 |end_excluding=2.12.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58213 is a vulnerability in the NATS Server's MQTT protocol handling where MQTT clients could include control characters such as whitespace (tab, newline, carriage return, form feed) in subscription filters or publish topics. These invalid characters were not properly validated and were forwarded as NATS protocol data to route or leafnode connections. This caused corruption of the forwarded protocol stream, allowing injection of unintended NATS protocol operations.

The issue arises because these control characters can split control lines or corrupt the protocol stream, leading to unexpected behavior or protocol injection attacks. The vulnerability affects versions prior to 2.14.1 and 2.12.9 of the NATS Server.

The fix involved stricter validation of MQTT topics and subscription filters to reject control characters before forwarding, returning errors for invalid topics, and consolidating validation logic to prevent connection drops and ensure proper error handling.

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject unintended NATS protocol operations into the server's communication streams. By including control characters in MQTT subscription filters or publish topics, an attacker can corrupt the protocol stream forwarded to other connections such as route or leafnode connections.

The consequences include potential corruption of protocol messages, unexpected behavior in the messaging system, and possible injection of malicious commands affecting other cluster nodes or accounts.

Anonymous MQTT deployments are at higher risk since no credentials are required to create subscriptions, but even authenticated deployments are vulnerable if clients can create subscriptions.

The vulnerability has a CVSS v3.1 base score of 7.1, indicating a high severity with impacts primarily on confidentiality and integrity.

Mitigation requires upgrading to fixed versions 2.14.1 or 2.12.9. For anonymous deployments, disabling MQTT access can serve as a temporary workaround.

Detection Guidance

The vulnerability involves MQTT clients including protocol control characters (such as whitespace characters like tab, newline, carriage return, and form feed) in subscription filters or publish topics, which are then forwarded as NATS protocol data causing protocol corruption.

Detection can focus on monitoring MQTT subscription filters and publish topics for the presence of these invalid control characters before they are forwarded to route or leafnode connections.

Since the vulnerability is related to MQTT topics containing control characters, you can detect suspicious MQTT traffic by inspecting MQTT SUBSCRIBE and PUBLISH messages for such characters.

While no explicit commands are provided in the resources, a practical approach would be to capture MQTT traffic on your network and filter for subscription filters or topics containing control characters such as tabs, newlines, carriage returns, or form feeds.

For example, using packet capture tools like tcpdump or Wireshark, you could filter MQTT packets and search for these characters in the topic fields.

  • Use tcpdump to capture MQTT traffic: tcpdump -i <interface> -s 0 -w mqtt_traffic.pcap port 1883
  • Analyze the capture with Wireshark or tshark, filtering for MQTT SUBSCRIBE or PUBLISH packets and inspecting topic strings for control characters.
  • Alternatively, use custom scripts or MQTT broker logs (if available) to detect subscription filters or topics containing whitespace/control characters.
Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade the NATS Server to a fixed version where the issue is resolved.

Specifically, upgrade to NATS Server version 2.14.1 or 2.12.9 or later, as these versions include fixes that reject MQTT topics containing control characters and prevent protocol corruption.

For anonymous MQTT deployments, a temporary workaround is to disable MQTT access entirely to prevent exploitation.

For authenticated deployments, upgrading is necessary since clients with subscription creation privileges can exploit the vulnerability.

The fix includes stricter validation of MQTT topics during publish and subscribe operations, returning errors for invalid topics and preventing forwarding of malformed protocol data.

Compliance Impact

CVE-2026-58213 allows an attacker to inject unintended NATS protocol operations by including control characters in MQTT subscription filters, potentially corrupting protocol streams between cluster nodes or accounts.

This vulnerability could impact the confidentiality and integrity of data transmitted within the NATS messaging system, as indicated by its CVSS score (7.1) with high confidentiality impact and low integrity impact.

Such impacts on data confidentiality and integrity may affect compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure communication channels.

Anonymous MQTT deployments are at higher risk since no credentials are required, increasing the likelihood of unauthorized access or data manipulation.

Mitigation requires upgrading to fixed versions (2.14.1 and 2.12.9) or disabling MQTT access in anonymous deployments, which is necessary to maintain compliance with security requirements of these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart