Improper Authorization in nats-server - #VU135924
Published: June 30, 2026
nats-server
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in the queue subscription permission evaluation when handling queue subscription requests. A remote user can use a queue subscription that bypasses a plain subject deny rule to disclose sensitive information.
Exploitation requires valid credentials and a permission configuration that combines plain subject deny rules with queue-specific deny rules.