SB2026063038 - Improper Neutralization of Special Elements in Output Used by a Downstream Component in nats-server
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: N/A)
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject unintended NATS protocol operations.
The vulnerability exists due to improper neutralization of special elements in MQTT subscription filters forwarded by route and leafnode connections when processing MQTT SUBSCRIBE requests. A remote user can send a specially crafted MQTT subscription filter to inject unintended NATS protocol operations.
Exploitation can affect forwarded protocol streams across cluster nodes or accounts where route, gateway, or leafnode connections are present.
Remediation
Install update from vendor's website.