SB2026063036 - Multiple vulnerabilities in nats-server
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Integer overflow (CVE-ID: N/A)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to integer overflow in Connz pagination when processing account-scoped connection monitoring requests. A remote user can send a request with crafted pagination values to cause a denial of service.
On no-auth deployments, any client with network access to the client listener can reach the vulnerable request path. In multi-tenant deployments, exploitation depends on whether a tenant can publish to the imported account monitoring request subject.
2) Uncaught Exception (CVE-ID: N/A)
CWE-ID: CWE-248 - Uncaught Exception
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an uncaught exception in the WebSocket listener MQTT-over-WebSocket path when handling requests for the MQTT-over-WebSocket path while MQTT is not configured. A remote attacker can send a specially crafted request to cause a denial of service.
Only deployments that enable WebSocket while leaving MQTT disabled are affected.
3) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in MQTT retained message delivery and QoS1+ durable replay handling when replaying or delivering stored MQTT messages to subscribers. A remote user can subscribe with broad wildcard permissions and receive messages from denied topics to disclose sensitive information.
Only MQTT subscribers with broad wildcard subscribe permissions combined with more specific denied topics are affected, and normal live delivery may be blocked while retained or replayed delivery still sends the denied topic.
4) Resource exhaustion (CVE-ID: N/A)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the MQTT CONNECT packet parser when processing incomplete pre-authentication MQTT CONNECT packets. A remote attacker can send a large incomplete MQTT CONNECT packet to cause a denial of service.
Only servers with MQTT support enabled are affected.
5) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to permissions assigned to the default user.
The vulnerability exists due to improper access control in the pre-CONNECT fast path when processing a first client operation other than CONNECT. A remote user can send an initial non-CONNECT operation to gain unauthorized access to permissions assigned to the default user.
Only deployments that use no_auth_user together with restrictions such as allowed_connection_types or proxy_required are vulnerable.
6) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in internal $MQTT.deliver.pubrel subjects when processing MQTT subscribe requests. A remote user can subscribe to an internal MQTT delivery subject to disclose sensitive information.
Only MQTT QoS2 protocol metadata for sessions in the account is exposed; message payloads are not exposed through this path.
7) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks and disclose sensitive metadata.
The vulnerability exists due to improper access control in leaf node message trace destination checks when processing messages arriving through leafnode connections. A remote user can send messages through a leafnode connection to cause trace events to be sent to subjects that would not otherwise be permitted to bypass authorization checks and disclose sensitive metadata.
Trace-only behavior can also prevent normal delivery or storage of affected messages. Trace events can include routing, subscription, account, service import, and JetStream metadata.
8) NULL pointer dereference (CVE-ID: N/A)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the leafnode handshake logic when processing repeated leafnode INFO protocol messages before authentication and account setup complete. A remote attacker can send repeated INFO messages to cause a denial of service.
Only leafnode listeners with compression enabled are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/nats-io/nats-server/security/advisories/GHSA-q59r-vq66-pxc2
- https://github.com/nats-io/nats-server/security/advisories/GHSA-p957-7v2w-g93g
- https://github.com/nats-io/nats-server/security/advisories/GHSA-7qmq-8cc4-hxwg
- https://github.com/nats-io/nats-server/security/advisories/GHSA-r72h-j7qq-v6qg
- https://github.com/nats-io/nats-server/security/advisories/GHSA-hmmp-q8cx-v964
- https://github.com/nats-io/nats-server/security/advisories/GHSA-4g68-3pwx-5vfj
- https://github.com/nats-io/nats-server/security/advisories/GHSA-p3j5-5hrq-p75h
- https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67