5.4
CVE-2026-58211
- EPSS 0.29%
- Veröffentlicht 08.07.2026 20:16:25
- Zuletzt bearbeitet 09.07.2026 19:00:21
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
NATS Server: `no_auth_user` pre-CONNECT fast path bypasses user connection restrictions
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restrictions such as allowed_connection_types or proxy_required that normal authentication would apply. This issue is fixed in versions 2.14.3 and 2.12.12.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linuxfoundation ≫ Nats-server Version >= 2.12.0 < 2.12.12
Linuxfoundation ≫ Nats-server Version >= 2.14.0 < 2.14.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.211 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/nats-io/nats-server/security/advisories/GHSA-hmmp-q8cx-v964