🟠 High | Source: Microsoft Security Response Center
CVE-2026-58250 is a vulnerability in NATS Server that allows an unauthenticated attacker to crash the server by sending a double INFO message during the leafnode handshake process — before any authentication takes place. This means no credentials are required to trigger a denial-of-service condition, making it trivially exploitable. Any environment running NATS Server with leafnode connections enabled is potentially at risk of service disruption.
Security Architect’s Take: Audit your Azure and self-managed environments for exposed NATS Server instances with leafnode functionality enabled, and apply the vendor patch immediately. As an interim control, restrict network access to NATS leafnode ports to trusted IP ranges only, to limit unauthenticated exposure.
Original advisory: CVE-2026-58250 NATS Server: Pre-auth server crash via double INFO in leafnode handshake