PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58214 nats-io CVE debrief

CVE-2026-58214 is a MEDIUM severity vulnerability in NATS Server, allowing an authenticated MQTT client to bypass subscribe permissions. This issue enables clients to access internal $MQTT.deliver.pubrel subject family, potentially exposing MQTT QoS2 protocol metadata for sessions in the account. The vulnerability is fixed in NATS Server versions 2.14.3 and 2.12.12. Users of affected versions should apply patches to prevent exploitation.

Vendor
nats-io
Product
nats-server
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-13
Advisory published
2026-07-08
Advisory updated
2026-07-13

Who should care

Users of NATS Server versions prior to 2.14.3 or 2.12.12 should apply patches to prevent authenticated MQTT clients from bypassing subscribe permissions. This includes operators of NATS Server deployments who have not yet updated to the patched versions. Additionally, security teams and vulnerability management teams should review the vulnerability's impact on their environments and plan for mitigation.

Technical summary

Prior to NATS Server versions 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions. This allows the client to expose MQTT QoS2 protocol metadata for sessions in the account. The issue arises from inadequate permission checks on internal subjects, which can be exploited by clients with valid authentication credentials. The fix involves enhancing permission checks to prevent unauthorized access to these internal subjects.

Defensive priority

Apply patches to prevent authenticated MQTT clients from bypassing subscribe permissions in NATS Server. Restrict access to internal subjects and monitor for suspicious activity.

Recommended defensive actions

  • Apply patches to NATS Server versions prior to 2.14.3 or 2.12.12
  • Restrict access to internal $MQTT.deliver.pubrel subject family
  • Monitor for suspicious MQTT client activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T20:16:54.347Z and was last modified on 2026-07-13T15:17:13.573Z. The NVD entry is currently Analyzed. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the vulnerability's relevance to their environments through additional research and validation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:54.347Z and has not been modified since then. The NVD entry is currently Analyzed.