Subject: nats-server: no_auth_user pre-CONNECT fast path bypasses user connection restrictions NATS-advisory-ID: 2026-24 Aliases: GHSA-hmmp-q8cx-v964 Date: 2026-06-29 Fixed-In: v2.14.3, v2.12.12. Background: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The NATS Server can map clients that do not send credentials to a configured no_auth_user. Users can also be limited to specific connection types or required to connect through a trusted proxy. Problem Description: A client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT. That path did not apply the same user-level connection restrictions as normal authentication. As a result, an unauthenticated client could receive the permissions of a default user that was intended to be usable only through a specific connection type or trusted proxy. The issue affects deployments that use no_auth_user together with restrictions such as allowed_connection_types or proxy_required. Impact depends on the permissions granted to the configured no_auth_user. Affected Versions: Versions v2.14.2, v2.12.11 and below are vulnerable. The issue is fixed in v2.14.3 and v2.12.12. Workarounds: Avoid configuring no_auth_user with permissions that rely on allowed_connection_types or proxy_required as the only boundary. Credit: Asritha Bodepudi, Trail of Bits References: * This document is canonically: * GHSA advisory: