Incorrect authorization in nats-server - #VU135935

 

Incorrect authorization in nats-server - #VU135935

Published: June 30, 2026


Vulnerability identifier: #VU135935
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: NATS - The Cloud Native Messaging System
Affected software:
nats-server

Detailed vulnerability description

The vulnerability allows a remote user to bypass authorization checks and disclose sensitive metadata.

The vulnerability exists due to improper access control in leaf node message trace destination checks when processing messages arriving through leafnode connections. A remote user can send messages through a leafnode connection to cause trace events to be sent to subjects that would not otherwise be permitted to bypass authorization checks and disclose sensitive metadata.

Trace-only behavior can also prevent normal delivery or storage of affected messages. Trace events can include routing, subscription, account, service import, and JetStream metadata.


Remediation

Install security update from vendor's website.

Sources