Listen to this Post
CVE-2026-58214 is an incorrect authorization vulnerability in NATS Server, a high-performance cloud and edge native messaging system. The flaw resides in the MQTT (Message Queuing Telemetry Transport) implementation, specifically in how the server handles subscribe permissions for internal system subjects. NATS Server provides an MQTT interface that allows clients to communicate using the MQTT protocol, which is widely used in IoT and edge computing environments. The vulnerability affects all NATS Server versions prior to 2.14.3 and 2.12.12.
The root cause is that an authenticated MQTT client can subscribe to the internal subject family $MQTT.deliver.pubrel. This subject family is used internally by the NATS Server to manage MQTT QoS (Quality of Service) level 2 protocol metadata, which includes acknowledgment and delivery confirmation messages for sessions within the same account. Normally, subscribe permissions are enforced via configured Access Control Lists (ACLs) that restrict which subjects a client can subscribe to. However, due to a flaw in the authorization logic, the internal `$MQTT.deliver.pubrel` prefix is not properly filtered against these ACLs, allowing any authenticated MQTT client to bypass the configured permissions.
This issue is particularly concerning because it exposes sensitive MQTT QoS2 protocol metadata for all sessions in the account. QoS2 is the highest level of MQTT quality of service, ensuring exactly-once message delivery. The metadata includes message identifiers, delivery receipts, and publication release messages, which can be used to infer message patterns, session states, and potentially hijack or interfere with active MQTT sessions. The vulnerability is considered an incomplete fix for a previous issue, CVE-2026-33217, indicating that earlier mitigation attempts did not fully address the underlying access control problem.
The attack vector is network-based, requires low privileges (authenticated MQTT client), and does not require user interaction. The confidentiality impact is limited but can lead to unauthorized exposure of internal protocol metadata. The vulnerability has been assigned a CVSS v3 score of 5.3 (Medium) by Snyk, with an EPSS probability of 0.37% (29th percentile), indicating a relatively low likelihood of active exploitation in the wild as of the disclosure date. The issue was disclosed on July 9, 2026, and fixed in versions 2.14.3 and 2.12.12. Administrators are strongly advised to upgrade to these patched versions immediately.
DailyCVE Form:
Platform: NATS Server
Version: <2.14.3, <2.12.12
Vulnerability: ACL Bypass
Severity: Medium (5.3)
date: 2026-07-09
Prediction: 2026-07-20
What Undercode Say:
Check NATS Server version
nats-server -version
Verify if vulnerable (returns true for versions < 2.12.12 or < 2.14.3)
nats-server -version | grep -E "2.[0-9]+.[0-9]+" | awk -F. '{if ($2 < 12 || ($2 == 12 && $3 < 12) || ($2 == 14 && $3 < 3)) print "VULNERABLE"; else print "PATCHED"}'
List active MQTT subscriptions (requires admin credentials)
nats account info | grep -i mqtt
Monitor for suspicious $MQTT.deliver.pubrel subscriptions
nats sub ">\$MQTT.deliver.pubrel.>" --count 1 --timeout 5s 2>/dev/null || echo "No active subscriptions to internal subject"
Analytics:
- EPSS Score: 0.37% (29th percentile)
- CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE: CWE-863 (Incorrect Authorization)
- Disclosure Date: July 9, 2026
- Patch Availability: Versions 2.14.3 and 2.12.12
Exploit:
An authenticated MQTT client can exploit this vulnerability by sending a SUBSCRIBE packet to the NATS Server with a topic filter matching the `$MQTT.deliver.pubrel` subject family. For example, subscribing to `$MQTT.deliver.pubrel.>` would capture all QoS2 metadata for the account. Because the server fails to enforce ACLs on this internal prefix, the subscription is granted, and the client begins receiving internal protocol messages. These messages contain message IDs, packet IDs, and delivery statuses that can be used to track session activity, correlate messages with clients, and potentially interfere with exactly-once delivery guarantees. No special tools are required beyond a standard MQTT client capable of subscribing to system subjects.
Protection:
Upgrade to NATS Server version 2.14.3 or 2.12.12 immediately. If an upgrade is not immediately possible, consider disabling MQTT support entirely by removing the MQTT listener configuration from the server configuration file (mqtt { port: -1 }). Additionally, restrict MQTT client authentication to only trusted clients and monitor server logs for any subscription attempts to `$MQTT.deliver.pubrel` subjects. Implement network-level access controls to limit which clients can reach the MQTT port. Regularly audit ACL configurations to ensure they are correctly enforced. The fix in the patched versions properly filters the internal `$MQTT.deliver.pubrel` prefix against configured subscribe permissions, blocking unauthorized access.
Impact:
Successful exploitation allows an attacker with valid MQTT credentials to bypass configured subscribe permissions and gain unauthorized access to internal MQTT QoS2 protocol metadata for all sessions in the account. This exposure can lead to session tracking, message correlation, and potential disruption of exactly-once message delivery semantics. While the confidentiality impact is limited, the information leak can aid in further attacks, such as session hijacking or message interception. The vulnerability does not affect data integrity or availability directly, but the metadata exposure undermines the security guarantees of the messaging system, particularly in multi-tenant environments where account isolation is critical.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

