CVE-2026-58214

Source
https://cve.org/CVERecord?id=CVE-2026-58214
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58214.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58214
Aliases
  • GHSA-4g68-3pwx-5vfj
Downstream
Published
2026-07-08T20:06:34.794Z
Modified
2026-07-11T03:53:35.968314797Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
NATS Server: MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)
Details

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58214.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.12.12"
        },
        {
            "introduced": "2.14.0-RC.1"
        },
        {
            "fixed": "2.14.3"
        }
    ]
}

Affected versions

v0.*
v0.5.1
v0.5.2
v0.5.4
v0.5.6
v0.6.0
v0.6.2
v0.6.4
v0.6.6
v0.6.8
v0.7.0
v0.7.2
v0.8.0
v0.8.1
v0.9.2
v0.9.4
v0.9.6
v1.*
v1.0.0
v1.0.2
v1.0.4
v1.0.6
v1.1.0
v1.2.0
v1.3.0
v2.*
v2.0.0
v2.0.0-RC14
v2.0.0-RC19
v2.0.2
v2.0.4
v2.1.0
v2.1.2
v2.1.4
v2.1.6
v2.1.7
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.11.0
v2.11.0-RC.1
v2.11.0-RC.2
v2.11.0-RC.3
v2.11.0-RC.4
v2.11.0-RC.5
v2.11.2
v2.11.2-RC.1
v2.11.2-RC.2
v2.11.2-RC.3
v2.11.3
v2.11.3-RC.1
v2.11.3-RC.2
v2.12.0
v2.12.0-RC.1
v2.12.0-RC.2
v2.12.0-RC.3
v2.12.0-RC.4
v2.12.0-RC.5
v2.12.0-RC.6
v2.12.0-preview.1
v2.12.0-preview.2
v2.12.1
v2.12.1-RC.1
v2.12.1-RC.2
v2.12.1-RC.3
v2.12.1-RC.4
v2.12.1-RC.5
v2.12.10
v2.12.10-RC.1
v2.12.11
v2.12.2
v2.12.2-RC.1
v2.12.2-RC.2
v2.12.2-RC.3
v2.12.2-RC.4
v2.12.3
v2.12.3-RC.1
v2.12.3-RC.2
v2.12.3-RC.3
v2.12.3-RC.4
v2.12.3-RC.5
v2.12.4
v2.12.4-RC.1
v2.12.4-RC.2
v2.12.4-RC.3
v2.12.4-RC.4
v2.12.4-RC.5
v2.12.4-RC.6
v2.12.5
v2.12.5-RC.1
v2.12.5-RC.2
v2.12.6
v2.12.7
v2.12.8
v2.12.9
v2.12.9-RC.1
v2.12.9-RC.2
v2.14.0
v2.14.0-RC.1
v2.14.0-RC.2
v2.14.0-RC.3
v2.14.1
v2.14.1-RC.1
v2.14.1-RC.2
v2.14.2
v2.14.2-RC.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.0-rc1
v2.7.0-rc2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.14
v2.9.15
v2.9.16
v2.9.17
v2.9.18
v2.9.19
v2.9.2
v2.9.20
v2.9.21
v2.9.22
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58214.json"