NATS Server, Authorization Bypass, CVE-2026-58252 (Medium) -DC-Jul2026-923

Listen to this Post

How CVE-2026-58252 Works

NATS Server is a high-performance messaging system for cloud and edge-native environments. It enforces access control through subject-based permissions, where administrators can configure deny rules using wildcards (e.g., `foo.` or `foo.>` ) to block certain clients from subscribing to sensitive subjects.
CVE-2026-58252 exposes a flaw in the subscription authorization logic. An authenticated user with valid credentials—but with restricted permissions—can bypass these deny rules and receive messages on subjects they should not have access to.
The vulnerability triggers when a wildcard subscription overlaps with a configured wildcard deny rule but is not a strict subset of that deny rule. For example, if a deny rule blocks `foo.` (all subjects under `foo.` ), an attacker could subscribe to `foo.>` (which matches any subject under `foo` recursively) and still receive messages, because the overlap check was not correctly enforcing the subset relationship.
Additionally, queue subscriptions (where multiple consumers share a queue name) exacerbate the issue. The deny evaluation logic could incorrectly prioritize queue‑specific permissions over the plain subject deny rule when the queue name itself was not explicitly denied. This means that even if a subject is denied, an attacker using a queue subscription with a non‑denied queue name could still receive messages intended for legitimate queue consumers.
The attack requires low privileges (authenticated user) and can be launched remotely over the network. No user interaction is needed. The flaw affects confidentiality only—attackers can read messages they should not see, but they cannot modify or delete data.
The issue was introduced in version 2.11.0 and affects all releases before 2.11.16, 2.12.7, and 2.14.0. The fix corrects the overlap and queue‑specific evaluation logic to ensure deny rules are strictly enforced regardless of subscription type or wildcard pattern.

DailyCVE Form

Platform: NATS Server
Version: < 2.11.16, < 2.12.7, < 2.14.0
Vulnerability : Authorization Bypass
Severity: Medium (CVSS 6.5)
date: 2026-07-08

Prediction: Patch expected 2026-07-15

What Undercode Say

Analytics – Public metrics show EPSS score of 0.46% (38th percentile), indicating low exploitation likelihood in the wild. CISA rates it as not automatable with partial technical impact. Snyk assigns a 7.1 (High) severity. The vulnerability affects all NATS Server deployments using wildcard deny rules and queue subscriptions in multi‑tenant environments.

Bash Commands (Version Check & Update)

Check current NATS Server version
nats-server -version
For Debian/Ubuntu (APT)
apt show nats-server | grep Version
Upgrade to patched version
For v2.11.x
wget https://github.com/nats-io/nats-server/releases/download/v2.11.16/nats-server-v2.11.16-linux-amd64.tar.gz
tar -xzf nats-server-v2.11.16-linux-amd64.tar.gz
sudo mv nats-server-v2.11.16-linux-amd64/nats-server /usr/local/bin/
For v2.12.x
wget https://github.com/nats-io/nats-server/releases/download/v2.12.7/nats-server-v2.12.7-linux-amd64.tar.gz
tar -xzf nats-server-v2.12.7-linux-amd64.tar.gz
sudo mv nats-server-v2.12.7-linux-amd64/nats-server /usr/local/bin/
For v2.14.x
wget https://github.com/nats-io/nats-server/releases/download/v2.14.0/nats-server-v2.14.0-linux-amd64.tar.gz
tar -xzf nats-server-v2.14.0-linux-amd64.tar.gz
sudo mv nats-server-v2.14.0-linux-amd64/nats-server /usr/local/bin/
Verify upgrade
nats-server -version

Configuration Audit Snippet

Check for existing deny rules in server configuration
grep -r "deny" /etc/nats-server.conf
grep -r "subscription" /etc/nats-server.conf
List all active subscriptions (requires admin credentials)
nats sub ">" --user admin --password pass --server nats://localhost:4222

Exploit

An authenticated attacker with low privileges can:

  1. Identify a configured wildcard deny rule (e.g., deny: ["foo."]) that blocks access to certain subjects.
  2. Create a wildcard subscription that overlaps but is not a subset of the deny rule—for example, `foo.>` (matches all subjects under `foo` recursively).
  3. Due to the flawed overlap check, the server incorrectly allows the subscription.
  4. Alternatively, use a queue subscription (e.g., queue q1 foo.) where the queue name itself is not denied, causing the deny evaluation to be overridden.
  5. Receive messages published to foo.bar, foo.baz, or any other subject under foo, thus bypassing the intended access restriction.
    This attack does not require any special conditions and can be performed remotely without user interaction.

Protection

  • Upgrade to NATS Server versions 2.14.0, 2.12.7, or 2.11.16 (or later).
  • If immediate upgrade is not possible, avoid using wildcard deny rules (“ or >) in conjunction with overlapping wildcard subscriptions. Use explicit subject denials where feasible.
  • Review all queue subscription permissions – ensure that queue names are also explicitly denied if the underlying subject should be restricted.
  • Apply the principle of least privilege – grant only the minimum required permissions to each authenticated user.
  • Monitor logs for unexpected subscription patterns or unauthorised message deliveries.
  • Use network segmentation and firewall rules to limit access to the NATS server from untrusted networks.

Impact

  • Confidentiality breach – attackers can read sensitive messages they are not authorised to see.
  • Data leakage in multi‑tenant environments where different clients or applications rely on subject‑based isolation.
  • Disruption of legitimate queue consumers – queue subscriptions may incorrectly deliver messages to unauthorised clients, potentially causing logic errors or duplicate processing.
  • Compliance violations if the exposed data includes personally identifiable information (PII) or regulated data.
  • Reputational damage and potential financial loss due to unauthorised information disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top