NATS Server NO_AUTH Bypass before 2.11.16
CVE-2026-58253 Published on July 8, 2026
NATS Server: Route API Auth Bypass
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Vulnerability Analysis
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-58253 has been classified to as an authentification vulnerability or weakness.
Affected Versions
nats-io nats-server:- Version < 2.11.16 is affected.
- Version >= 2.12.0-preview.1, < 2.12.6 is affected.