CVE-2026-58253
Received Received - Intake

Authentication Bypass in NATS Server

Vulnerability report for CVE-2026-58253, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
nats server 2.14.0
nats server 2.12.7
nats server 2.11.16
nats server to 2.14.0 (exc)
nats server to 2.12.7 (exc)
nats server to 2.11.16 (exc)
nats server to 2.12.6 (exc)
nats server to 2.11.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade the NATS server to a fixed version: 2.14.0, 2.12.7, or 2.11.16 or later, where the vulnerability has been addressed by restricting the no_auth_user feature to client connections only.

If immediate upgrade is not possible, a temporary workaround is to avoid configuring no_auth_user together with route or leafnode listeners, as this combination enables the vulnerability.

Additionally, review your server configuration to ensure that non-client connections (routes, leaf nodes, gateways) require proper authentication and do not allow unauthenticated access.

Monitoring and logging connection attempts can also help detect and block unauthorized access attempts until the upgrade is applied.

Executive Summary

CVE-2026-58253 is a security vulnerability in the NATS Server where the `no_auth_user` feature, intended to allow unauthenticated client connections, was incorrectly applied to non-client connections such as routes, leaf nodes, and gateways.

This flaw allowed an unauthenticated peer to bypass the normal inter-server CONNECT authentication process by exploiting a parser fast path that accepted commands like PING without requiring authentication first.

As a result, unauthorized users could connect to these non-client connection types and operate with the privileges associated with them, potentially gaining elevated access.

The vulnerability was fixed by modifying the server's parser to restrict the `no_auth_user` fast-path exclusively to client connections, enforcing that non-client connections must always start with a CONNECT message to authenticate.

Impact Analysis

This vulnerability can allow an attacker with network access to route or leafnode listeners to bypass authentication and gain unauthorized access to the NATS server.

Such unauthorized access could enable the attacker to operate with elevated privileges associated with route, leaf node, or gateway connections.

Potential impacts include unauthorized message injection, interception, or manipulation within the messaging system, compromising data integrity and confidentiality.

Because the attacker does not need valid credentials and the attack complexity is low, this vulnerability poses a high security risk.

Detection Guidance

This vulnerability involves unauthorized use of the no_auth_user feature on non-client connections such as routes, leaf nodes, or gateways, allowing bypass of authentication by sending commands like PING without first establishing a CONNECT protocol.

To detect this vulnerability on your system, you should monitor network traffic or server logs for non-client connections that send commands (e.g., PING) without a preceding CONNECT message. This behavior indicates an attempt to bypass authentication.

Specific commands to detect this might include inspecting connection logs or using network packet capture tools (e.g., tcpdump or Wireshark) to filter for PING commands or other protocol messages sent on route, leaf node, or gateway connections before a CONNECT message is established.

Since the vulnerability is related to protocol misuse, you can also review server parser logs or enable debug logging on the NATS server to identify rejected or suspicious connection attempts that do not follow the expected CONNECT authentication flow.

Compliance Impact

CVE-2026-58253 is an authentication bypass vulnerability in the NATS Server that allows unauthenticated peers to gain elevated privileges by bypassing inter-server CONNECT authentication. This could lead to unauthorized access and potential data integrity issues.

Such unauthorized access and privilege escalation could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If exploited, this vulnerability might lead to unauthorized data exposure or modification, thereby violating these regulatory requirements.

However, the provided context and resources do not explicitly discuss compliance impacts or regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart