Incorrect authorization in nats-server - #VU135931
Published: June 30, 2026
nats-server
Detailed vulnerability description
The vulnerability allows a remote user to gain unauthorized access to permissions assigned to the default user.
The vulnerability exists due to improper access control in the pre-CONNECT fast path when processing a first client operation other than CONNECT. A remote user can send an initial non-CONNECT operation to gain unauthorized access to permissions assigned to the default user.
Only deployments that use no_auth_user together with restrictions such as allowed_connection_types or proxy_required are vulnerable.