๐Ÿ” CVE Alert

CVE-2026-58250

HIGH 7.5

NATS Server: Pre-auth server crash via double INFO in leafnode handshake

CVSS Score
7.5
EPSS Score
0.7%
EPSS Percentile
50th

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.

CWE CWE-476
Vendor nats-io
Product nats-server
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for nats-io nats-server

Be the first to know when new high vulnerabilities affecting nats-io nats-server are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

nats-io / nats-server
< 2.11.17 >= 2.12.0-preview.1, < 2.12.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67 github.com: https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a github.com: https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27 github.com: https://github.com/nats-io/nats-server/releases/tag/v2.11.17 github.com: https://github.com/nats-io/nats-server/releases/tag/v2.12.8