NATS Server <=2.11.16 Auth User Bypass Denied Subject via Wildcard Sub
CVE-2026-58252 Published on July 8, 2026
NATS Server: Subscribe Authz Bypass via Wildcard-Overlap
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Vulnerability Analysis
CVE-2026-58252 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-58252 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
nats-io nats-server:- Version < 2.11.16 is affected.
- Version >= 2.12.0-preview.1, < 2.12.7 is affected.