Improper Authorization in nats-server - #VU135925
Published: June 30, 2026
nats-server
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in the subscription permission system when processing wildcard subscription requests that overlap with wildcard deny rules. A remote user can create a wildcard subscription to receive messages on denied subjects to disclose sensitive information.
The issue requires valid credentials and a permission configuration with overlapping wildcard allow and deny patterns. Queue subscriptions may also affect delivery to legitimate queue consumers.