CVE-2026-58214
Received Received - Intake

MQTT QoS2 Metadata Exposure in NATS Server

Vulnerability report for CVE-2026-58214, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nats_io nats_server to 2.12.12 (exc)
nats_io nats_server to 2.12.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated MQTT client to bypass access control lists and subscribe to internal MQTT delivery subjects, exposing MQTT QoS2 protocol metadata. Although it does not expose message payloads, the unauthorized access to internal protocol metadata could potentially lead to unauthorized information disclosure.

Such unauthorized access and bypass of configured permissions may impact compliance with standards and regulations that require strict access controls and protection of sensitive data, such as GDPR and HIPAA. Specifically, the exposure of protocol metadata could be considered a failure to adequately protect data confidentiality and integrity under these regulations.

However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.

Mitigation Strategies

The primary mitigation step is to upgrade the NATS server to a fixed version that addresses this vulnerability.

  • Upgrade to NATS server version 2.14.3 or later, or 2.12.12 or later, where the issue is fixed.

There is no known workaround for deployments that use MQTT, so upgrading is essential to prevent unauthorized subscription to internal MQTT delivery subjects.

After upgrading, verify that MQTT clients cannot subscribe to the "$MQTT.deliver.pubrel.*" subjects by testing or monitoring subscriptions.

Executive Summary

CVE-2026-58214 is a vulnerability in the NATS Server that allows an authenticated MQTT client to bypass access control lists and subscribe to internal MQTT delivery subjects prefixed with "$MQTT.deliver.pubrel". These internal subjects should be restricted, but due to this flaw, clients can access MQTT QoS2 protocol metadata for sessions in the account without proper permissions.

The issue arises from incomplete authorization checks in the server's subscription processing, allowing MQTT clients to subscribe to internal subjects that expose protocol metadata, though not the message payloads themselves.

This vulnerability affects versions of NATS Server prior to 2.14.3 and 2.12.12 and was fixed by adding explicit checks to block subscriptions to these internal subjects.

Impact Analysis

This vulnerability can impact you by allowing an authenticated MQTT client to bypass configured subscribe permissions and access internal MQTT delivery subjects that contain QoS2 protocol metadata.

While the message payloads are not exposed, the leakage of protocol metadata could potentially aid an attacker in understanding session details or the messaging behavior within the account.

The vulnerability requires low privileges and no user interaction to exploit, making it a moderate risk (CVSS score 4.3) for deployments using MQTT with NATS Server versions before the fixed releases.

Detection Guidance

This vulnerability involves an authenticated MQTT client subscribing to internal subjects prefixed with "$MQTT.deliver.pubrel" which should be restricted. Detection would involve monitoring MQTT client subscriptions to check if any client is subscribing to these internal subjects.

You can detect attempts to exploit this vulnerability by inspecting MQTT subscription requests on your NATS server logs or network traffic for subscriptions to topics starting with "$MQTT.deliver.pubrel".

Example commands or approaches might include:

  • Using NATS server logs to search for subscription requests to "$MQTT.deliver.pubrel.*" subjects.
  • Using network packet capture tools (e.g., tcpdump or Wireshark) to filter MQTT SUBSCRIBE packets containing "$MQTT.deliver.pubrel" topics.
  • Querying the NATS server monitoring endpoints or APIs (if available) to list active subscriptions and check for unauthorized subscriptions to internal MQTT subjects.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart