NATS Server 2.11.x Queue Sub Deny Bypass
CVE-2026-58251 Published on July 8, 2026
NATS Server: Queue Subscribe Authz Bypass
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Vulnerability Analysis
CVE-2026-58251 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-58251 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
nats-io nats-server:- Version < 2.11.16 is affected.
- Version >= 2.12.0-RC.1, < 2.12.7 is affected.