Home

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12.

PUBLISHED Reserved 2026-06-29 | Published 2026-07-08 | Updated 2026-07-09 | Assigner GitHub_M




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 2.12.12
affected

>= 2.14.0-RC.1, < 2.14.3
affected

References

github.com/...server/security/advisories/GHSA-7qmq-8cc4-hxwg

github.com/...ommit/181b1f51f40b9954c57e9d478e051fb257679356

github.com/...ommit/1c429b6fdc5afd4188cc5faf1127f6334896cd87

github.com/nats-io/nats-server/releases/tag/v2.12.12

github.com/nats-io/nats-server/releases/tag/v2.14.3

cve.org (CVE-2026-58209)

nvd.nist.gov (CVE-2026-58209)

Download JSON