RATATOSKRATATOSK
ログイン

NATS

v2.11.16Networking & Messaging
2026年4月15日

v2.11.16 is a security-focused patch fixing multiple ACL bypass vulnerabilities in queue subscriptions, leafnode inbound messages, and wildcard deny patterns — update immediately if you rely on NATS authorization.

  • securityACL bypass via queue subscriptions — patch now

    Queue subscribers could silently bypass deny rules intended for non-queue subscriptions. If your authorization model uses deny patterns to restrict subjects, those controls were not reliably applied. Audit your ACL configurations and update to v2.11.16 before anything else. This affects any multi-tenant or permission-isolated NATS deployment.

  • securityLeafnode ACL enforcement was incomplete — verify your leaf configs

    Inbound messages on leafnode connections were not always checked against ACL permissions. If you run leafnode-connected clusters with per-account or per-user authorization, treat this as a potential unauthorized data access vector. After upgrading, review leafnode user credentials and their associated permission sets.

  • breakingno_auth_user scope change may affect existing setups

    The no_auth_user option is now restricted to client connections only. If you had any tooling or configuration relying on no_auth_user applying to leafnode or other non-client connection types, those connections will now require explicit credentials. Test in staging before rolling this update to production leafnode infrastructure.

主な変更 (5)

  • Queue subscriptions could bypass non-queue ACL deny rules — now fixed
  • Overlapping wildcard patterns in ACL deny blocks were not fully enforced — now corrected
  • no_auth_user restricted to client connections only (was previously broader)
  • Leafnode ACL enforcement fixed for all inbound message paths, plus a pre-CONNECT panic fix
  • WebSocket fast-path now correctly picks up WebSocket-specific no_auth_user when configured