NATS Server Authorization Bypass, CVE-2026-58251 (Medium) -DC-Jul2026-922

Listen to this Post

How CVE-2026-58251 Works

NATS Server is a high‑performance messaging system widely used in cloud and edge native architectures. It provides fine‑grained authorization through subject‑based deny rules, allowing administrators to block specific subjects or wildcard patterns for authenticated users. These deny rules are evaluated during subscription requests to ensure that a client cannot receive messages on restricted topics.
The vulnerability arises from an improper evaluation order when a client uses a queue subscription (a feature that distributes messages among multiple consumers in a queue group). In NATS, a queue subscription is identified by both the subject and a queue name. When a deny rule is configured on a plain subject (e.g., deny { subject: "secret." }), the server is expected to reject any subscription attempt that matches that subject, regardless of whether it is a normal or a queue subscription.
However, in affected versions, the authorization logic first checks if the queue name itself is denied. If the queue name is not explicitly listed in a deny rule, the evaluation incorrectly overrides the plain subject deny result and permits the subscription. An authenticated attacker who has been granted subscription permissions (but is restricted by subject deny rules) can simply attach any arbitrary queue name to a subscription on a denied subject and successfully receive messages from that subject.
This bypass is particularly dangerous because it does not require any special privileges beyond the ability to subscribe. The attacker only needs to know a denied subject and can use a queue subscription with a non‑denied queue name to circumvent the restriction. The flaw affects both wildcard and exact subject deny rules, as the queue‑specific evaluation takes precedence over the subject‑based denial.
The vulnerability was discovered and reported through responsible disclosure, and the NATS maintainers have released patches in versions 2.14.0, 2.12.7, and 2.11.16. The fix ensures that subject deny rules are always evaluated before any queue‑specific checks, so that a denied subject cannot be bypassed by simply adding a queue name.

DailyCVE Form:

Platform: NATS Server
Version: <2.14.0/2.12.7/2.11.16
Vulnerability: Authorization Bypass
Severity: Medium (CVSS 6.5)
Date: 2026-07-08

Prediction: 2026-07-15

What Undercode Say (Analytics)

Check the running NATS Server version:

nats-server -version

Or, if the server is already running, query the server info:

curl -s http://localhost:8222/varz | jq '.version'

Example configuration showing a deny rule that is vulnerable:

authorization {
users = [
{
user: "alice"
password: "pass"
permissions: {
deny: {
subjects: ["secret."]
}
}
}
]
}

Simulate the bypass using a queue subscription (using `nats` CLI):

This subscription should be denied, but in vulnerable versions it succeeds
nats sub "secret.data" --queue "any-queue" --user alice --password pass

Check the server logs for unexpected queue subscriptions on denied subjects:

grep -i "subscription" /var/log/nats-server.log | grep -i "secret"

Exploit

An authenticated attacker with valid credentials can perform the following steps:
1. Identify a subject that is denied for their user (e.g., secret.).
2. Send a subscription request for that subject with a queue name that is not denied (any arbitrary string, e.g., "myqueue").
3. The server incorrectly evaluates the queue‑specific deny rule (which is not present) and overrides the plain subject deny, allowing the subscription.
4. The attacker then receives all messages published to the denied subject, leading to unauthorized information disclosure.
No additional tools or complex exploits are required – the attack is trivial to execute with standard NATS client libraries.

Protection

  • Upgrade to NATS Server version 2.14.0, 2.12.7, or 2.11.16 immediately.
  • If an immediate upgrade is not possible, avoid using queue subscriptions for users who are subject to deny rules, or explicitly deny all queue names for those users (though this is not a complete mitigation).
  • Audit existing authorization configurations to ensure that deny rules are correctly enforced after the upgrade.
  • Monitor server logs for anomalous queue subscription attempts on sensitive subjects.

Impact

  • Confidentiality: High – an attacker can read messages on subjects that should be inaccessible, potentially exposing sensitive business data, secrets, or internal communications.
  • Integrity: None – the vulnerability does not allow modification of messages.
  • Availability: None – the service remains operational.
  • Scope: Unauthorized information disclosure affects the entire queue group, as all consumers in the queue will receive the denied messages.
    The overall risk is moderate due to the requirement of valid authentication and the availability of patched versions. However, in environments where sensitive data is transmitted via NATS, this flaw poses a significant threat to data confidentiality.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top