<Vulnerability name="CVE-2026-58208">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-08T20:17:39</PublicDate>
    <Bugzilla id="2498254" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498254" xml:lang="en:us">
github.com/nats-io/nats-server: NATS Server: Denial of Service due to incorrect MQTT-over-WebSocket request routing
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-824</CWE>
    <Details xml:lang="en:us" source="Mitre">
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in NATS Server. An unauthenticated client with access to the WebSocket listener could exploit a vulnerability where requests for the MQTT-over-WebSocket path were incorrectly routed into MQTT handling, even when MQTT was not configured. This allowed the client to access uninitialized MQTT state, leading to a server process crash. This can result in a Denial of Service (DoS) for the NATS Server.
    </Details>
    <Statement xml:lang="en:us">
This Moderate flaw in NATS Server allows an unauthenticated remote attacker to cause a denial of service. The vulnerability arises from incorrect routing of WebSocket requests to uninitialized MQTT handling, even when MQTT is not configured, leading to a server crash. This impacts the availability of NATS Server deployments that expose a WebSocket listener, as it does not require specific MQTT configuration to exploit.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, restrict network access to the NATS Server's WebSocket listener to trusted clients only using firewall rules. If the WebSocket listener is not required, it can be disabled in the NATS Server configuration. Disabling the WebSocket listener may impact services that rely on WebSocket connectivity to the NATS Server. After making configuration changes, ensure to restart the NATS Server process for the changes to take effect.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>nats-server2.12</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>nats-server2.14</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-58208
https://nvd.nist.gov/vuln/detail/CVE-2026-58208
https://github.com/nats-io/nats-server/commit/73b3dd9a5ea0fa7bf08b702338676355b29b5fb4
https://github.com/nats-io/nats-server/commit/837536b98b3a9280b993282155ff2bdd3ca38c30
https://github.com/nats-io/nats-server/releases/tag/v2.12.12
https://github.com/nats-io/nats-server/releases/tag/v2.14.3
https://github.com/nats-io/nats-server/security/advisories/GHSA-p957-7v2w-g93g
    </References>
</Vulnerability>