🟠 High | Source: Microsoft Security Response Center
A vulnerability in NATS Server allows an attacker to crash WebSocket-only JetStream servers by sending a specially crafted MQTT-over-WebSocket connection request, even before MQTT is explicitly enabled. This denial-of-service flaw means that servers not configured for MQTT remain unexpectedly exposed to MQTT-related attack paths. The impact is service disruption, which could affect messaging infrastructure underpinning cloud-native applications.
Security Architect’s Take: Audit any NATS Server deployments — particularly those using WebSocket with JetStream — and apply the relevant patch immediately. Review network perimeter controls to restrict WebSocket endpoint exposure to trusted sources whilst remediation is applied.
Original advisory: CVE-2026-58208 NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled