CVE-2026-58250
NATS Server: Pre-auth server crash via double INFO in leafnode handshake
CVSS Score
7.5
EPSS Score
0.7%
EPSS Percentile
50th
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.
| CWE | CWE-476 |
| Vendor | nats-io |
| Product | nats-server |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for nats-io nats-server
Be the first to know when new high vulnerabilities affecting nats-io nats-server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
nats-io / nats-server
< 2.11.17 >= 2.12.0-preview.1, < 2.12.8
References
github.com: https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67 github.com: https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a github.com: https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27 github.com: https://github.com/nats-io/nats-server/releases/tag/v2.11.17 github.com: https://github.com/nats-io/nats-server/releases/tag/v2.12.8