CVE-2026-58254
Received Received - Intake

Message Trace Bypass in NATS Server

Vulnerability report for CVE-2026-58254, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
nats server 2.14.3
nats server to 2.14.3 (exc)
nats server 2.12.8
nats server to 2.12.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the NATS server involves leafnode connections bypassing permission checks for the Nats-Trace-Dest header. Specifically, leafnode operators could send trace events to subjects that would normally be restricted, allowing them to send trace events to unauthorized destinations.

This bypass means that trace events, which may include sensitive metadata such as routing details, account information, and JetStream data, could be sent to unauthorized subjects. Although the original message payload remains unaffected, this unauthorized trace-only behavior could also be used to prevent normal delivery or storage of affected messages.

The issue was present in NATS server versions 2.14.2 and below, and 2.12.7 and below, and has been fixed in versions 2.14.3 and 2.12.8.

Compliance Impact

The vulnerability allows leafnode operators to bypass permission checks and send trace events containing sensitive metadata such as routing details, account information, and JetStream data to unauthorized subjects. This unauthorized exposure and potential interference with message delivery or storage could lead to unauthorized access or disclosure of sensitive information.

Such unauthorized access or disclosure of sensitive metadata may impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls over access to and processing of personal or sensitive data. Organizations using affected versions of the NATS server might face increased risk of non-compliance due to this vulnerability.

Upgrading to fixed versions 2.14.3 or 2.12.8 is advised to mitigate this risk, as no other workarounds are available.

Detection Guidance

There is no specific information provided in the available resources about commands or methods to detect this vulnerability on your network or system.

The recommended action is to verify the version of the NATS server you are running and ensure it is updated to version 2.14.3 or 2.12.8 or later, as these versions contain the fix for this vulnerability.

No other detection or mitigation commands or techniques are described in the provided resources.

Impact Analysis

This vulnerability can impact you by allowing a leafnode operator to send trace events to unauthorized subjects, potentially exposing sensitive metadata such as routing details, account information, and JetStream data.

Additionally, the unauthorized trace-only behavior can be exploited to interfere with the normal delivery or storage of messages, which could disrupt messaging workflows or data integrity.

Because the original message payload is not affected, the direct content of messages remains secure, but the metadata exposure and message handling interference pose moderate security risks.

Mitigation Strategies

The primary and recommended immediate step to mitigate this vulnerability is to upgrade the NATS server to a fixed version.

  • Upgrade to NATS server version 2.14.3 or later.
  • Alternatively, upgrade to version 2.12.8 or later if using the 2.12.x branch.

No other workarounds or mitigations are available according to the advisory.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart