PT-2026-56565 · Nats.Io · Nats Server

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-58253

CVSS v3.1

8.8

High

VectorAV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no auth user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58253

Affected Products

Nats Server