๐Ÿ” CVE Alert

CVE-2026-58254

UNKNOWN 0.0

NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check

CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
35th

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode operator to send trace events to subjects that would not otherwise be permitted and to use trace-only behavior to prevent normal delivery or storage of affected messages. This issue is fixed in versions 2.14.3 and 2.12.8.

CWE CWE-863
Vendor nats-io
Product nats-server
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for nats-io nats-server

Be the first to know when new unknown vulnerabilities affecting nats-io nats-server are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

nats-io / nats-server
< 2.12.8 >= 2.14.0-RC.1, < 2.14.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nats-io/nats-server/security/advisories/GHSA-p3j5-5hrq-p75h github.com: https://github.com/nats-io/nats-server/commit/cbe845932980b71563efac5cfa4cc751c88936cd github.com: https://github.com/nats-io/nats-server/releases/tag/v2.12.8 github.com: https://github.com/nats-io/nats-server/releases/tag/v2.14.3