SB2026063038 - Improper Neutralization of Special Elements in Output Used by a Downstream Component in nats-server



SB2026063038 - Improper Neutralization of Special Elements in Output Used by a Downstream Component in nats-server

Published: June 30, 2026

Security Bulletin ID SB2026063038
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: N/A)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject unintended NATS protocol operations.

The vulnerability exists due to improper neutralization of special elements in MQTT subscription filters forwarded by route and leafnode connections when processing MQTT SUBSCRIBE requests. A remote user can send a specially crafted MQTT subscription filter to inject unintended NATS protocol operations.

Exploitation can affect forwarded protocol streams across cluster nodes or accounts where route, gateway, or leafnode connections are present.


Remediation

Install update from vendor's website.