CVE-2026-58252
Received Received - Intake

Information Disclosure in NATS Server

Vulnerability report for CVE-2026-58252, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
nats server to 2.14.0 (exc)
nats server 2.12.7
nats server 2.11.16
nats server to 2.11.16 (exc)
nats server to 2.12.7 (exc)
nats server 2.14.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in NATS Server allows an authenticated user to receive messages on subjects they are explicitly denied access to due to improper enforcement of overlapping wildcard subscription deny rules.

This authorization bypass can lead to unauthorized disclosure of sensitive information, impacting confidentiality.

Since standards and regulations like GDPR and HIPAA require strict controls on access to sensitive data to protect privacy and confidentiality, this vulnerability could cause non-compliance by allowing unauthorized data access.

Exploiting this flaw requires valid credentials and specific permission configurations, but the potential high impact on confidentiality (CVSS score 6.5) indicates a significant risk to regulatory compliance if not mitigated.

Users are advised to upgrade to fixed versions to prevent unauthorized message delivery and maintain compliance with data protection standards.

Executive Summary

CVE-2026-58252 is a vulnerability in the NATS Server where subscription deny filters did not properly handle overlapping wildcard subjects. Specifically, the method used to check if a subscription deny filter should apply failed to detect overlapping wildcard patterns, such as "*.secret" and "foo.*". This flaw allowed authenticated users to receive messages on subjects they were explicitly denied access to when their wildcard subscription overlapped with a deny rule but was not a subset of it.

For example, a subscription to "foo.*" could incorrectly receive messages intended for "foo.secret" despite the deny filter. Queue subscriptions could also affect delivery to legitimate queue consumers. The issue was fixed by replacing the faulty matching method with one that accurately detects intersections between wildcard subjects, ensuring deny filters block messages correctly.

Impact Analysis

This vulnerability can lead to unauthorized access to messages that should have been denied, potentially exposing sensitive or confidential information to authenticated users who should not have access.

Additionally, queue subscriptions could be disrupted, affecting legitimate queue consumers and potentially causing message delivery issues within the system.

The CVSS score of 6.5 indicates a moderate severity with a high impact on confidentiality, meaning the main risk is unauthorized disclosure of information.

Detection Guidance

This vulnerability involves overlapping wildcard subscription and deny rules in the NATS server, allowing unauthorized message delivery. Detection involves reviewing your NATS server's subscription and permission configurations for overlapping wildcard patterns where deny rules might be bypassed.

Specifically, check for wildcard subscriptions that overlap with deny rules but are not subsets of them, such as subscriptions to "foo.*" when a deny rule exists for "*.secret".

While no explicit commands are provided in the resources, you can audit your NATS server configuration files or use NATS server monitoring tools to list active subscriptions and permission rules to identify overlapping wildcard patterns.

Additionally, reviewing logs for unexpected message deliveries on denied subjects may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade your NATS server to a fixed version where this vulnerability is resolved.

  • Upgrade to NATS server version 2.14.0, 2.12.7, or 2.11.16 or later.

This update replaces the flawed subscription deny filter logic with a more accurate method that correctly enforces deny rules on overlapping wildcard subjects.

Until you can upgrade, review and adjust your permission configurations to avoid overlapping wildcard allow and deny patterns that could be exploited.

Ensure that only trusted authenticated users have access, as exploitation requires valid credentials.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart