🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-58209 is a vulnerability in NATS Server affecting its MQTT implementation, where retained messages and QoS replay can bypass subscription deny filters. This means that access control rules intended to block certain subscribers from receiving messages may be circumvented, potentially exposing sensitive data to unauthorised clients. It is particularly relevant to Azure-hosted workloads using NATS as a messaging backbone.

Security Architect’s Take: Audit any NATS Server deployments — particularly those using MQTT with retained messages or QoS — and apply the vendor patch immediately. Review your subscription deny filter configurations and consider temporarily disabling MQTT retained message functionality until patched instances are confirmed in production.

Original advisory: CVE-2026-58209 NATS Server: MQTT retained and QoS replay bypass subscribe deny filters