RATATOSKRATATOSK
Sign in

NATS

v2.12.7Networking & Messaging
Apr 15, 2026

v2.12.7 is a targeted bug-fix release addressing ACL bypass vulnerabilities, multiple leafnode panics, a JetStream consumer stuck state, and an MQTT JWT regression from 2.12.6.

  • securityPatch ACL bypass bugs immediately if you use deny rules or queue groups

    Two ACL enforcement bugs are fixed here. Overlapping wildcard patterns in deny ACLs were not enforced correctly, and queue subscriptions could bypass non-queue deny rules entirely. If your security model relies on deny-based ACLs — especially with wildcards or mixed queue/non-queue subscribers — treat this as a must-upgrade. Audit your ACL configurations after upgrading to confirm expected deny behavior is active.

  • breakingMQTT users on 2.12.6 must upgrade — auth callout JWT was broken

    If you deployed 2.12.6 with MQTT clients using auth callout, JWTs were not being forwarded to the callout service, meaning your auth logic was silently bypassed or failing. This regression is fixed in 2.12.7. Upgrade immediately and verify MQTT client authentication is functioning end-to-end.

  • enhancementmax_mem_store and max_file_store can now be increased via config reload

    You can now raise JetStream storage limits without restarting the server — just update the config and reload. Decreasing is still not supported via reload. Useful for capacity adjustments during peak periods without downtime. Plan your storage sizing with headroom so you can expand reactively if needed.

Key changes (5)

  • ACL security fixes: overlapping wildcard deny patterns now enforced correctly, and queue subscriptions can no longer bypass non-queue deny rules
  • MQTT regression fix: JWT is now correctly forwarded to auth callout for MQTT clients (broken since 2.12.6)
  • JetStream consumer fix: max_ack_pending no longer gets stuck when deleted messages linger in pending state
  • Leafnode stability: multiple panic fixes including account resolution failure and pre-CONNECT guard improvements
  • JetStream performance: subject purge now scans only relevant filestore blocks; filestore cache eviction is less aggressive after writes