{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "2.12.12"
              },
              {
                "introduced": "2.14.0-RC.1"
              },
              {
                "fixed": "2.14.3"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "introduced": "da6b158496e4ef505087642e0258c0e2e1e38567"
            },
            {
              "fixed": "e8de2a67c7a094abca6013931ecf6cbff4b3fb02"
            },
            {
              "fixed": "9b17a586be69c9ff36e4c84a421ca47da410b561"
            },
            {
              "fixed": "297b166be60fe13144084eed4b25201ead03204a"
            },
            {
              "fixed": "34b09657bb596d5f850eaa5cfc97ea6b2f989a97"
            }
          ],
          "repo": "https://github.com/nats-io/nats-server",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-4g68-3pwx-5vfj"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58214.json"
  },
  "details": "NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol metadata for sessions in the account. This issue is fixed in versions 2.14.3 and 2.12.12.",
  "id": "CVE-2026-58214",
  "modified": "2026-07-11T03:53:35.968314797Z",
  "published": "2026-07-08T20:06:34.794Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/releases/tag/v2.14.3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58214.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-4g68-3pwx-5vfj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58214"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nats-io/nats-server/commit/297b166be60fe13144084eed4b25201ead03204a"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nats-io/nats-server/commit/34b09657bb596d5f850eaa5cfc97ea6b2f989a97"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NATS Server: MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)"
}