NATS Server: MQTT retained and QoS replay bypass subscribe deny filters
Summary
| CVE | CVE-2026-58209 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 20:16:53 UTC |
| Updated | 2026-07-08 20:16:53 UTC |
| Description | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Problem Types: CWE-863 | CWE-863 CWE-863: Incorrect Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | CNA | DECLARED | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Nats-io | Nats-server | affected < 2.12.12 | Not specified |
| CNA | Nats-io | Nats-server | affected >= 2.14.0-RC.1, < 2.14.3 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/nats-io/nats-server/releases/tag/v2.12.12 | [email protected] | github.com | |
| github.com/nats-io/nats-server/commit/1c429b6fdc5afd4188cc5faf1127f63348... | [email protected] | github.com | |
| github.com/nats-io/nats-server/commit/181b1f51f40b9954c57e9d478e051fb257... | [email protected] | github.com | |
| github.com/nats-io/nats-server/security/advisories/GHSA-7qmq-8cc4-hxwg | [email protected] | github.com | |
| github.com/nats-io/nats-server/releases/tag/v2.14.3 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.