🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in NATS Server allows an attacker to crash WebSocket-only JetStream servers by sending a specially crafted MQTT-over-WebSocket connection request, even before MQTT is explicitly enabled. This denial-of-service flaw means that servers not configured for MQTT remain unexpectedly exposed to MQTT-related attack paths. The impact is service disruption, which could affect messaging infrastructure underpinning cloud-native applications.

Security Architect’s Take: Audit any NATS Server deployments — particularly those using WebSocket with JetStream — and apply the relevant patch immediately. Review network perimeter controls to restrict WebSocket endpoint exposure to trusted sources whilst remediation is applied.

Original advisory: CVE-2026-58208 NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled