Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5
X_Refsource_Misc x_refsource_misc
https://advisories.nats.io/CVE/secnote-2026-07.txt
Scores
CVSS v3
7.1
EPSS
0.0015
EPSS Percentile
4.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (5)
linuxfoundation/nats-server
< 2.11.15
nats-io/nats-server
0Go
nats-io/nats-server
0 - 2.11.15Go
nats-io/nats-server
< 2.11.15
nats-io/nats-server
>= 2.12.0-RC.1, < 2.12.6
Published
Mar 25, 2026
Tracked Since
Mar 26, 2026