CRE-2025-0046

NATS Permissions Violation DetectedMedium

Impact: 4/10

Mitigation: 4/10

CRE-2025-0046View on GitHub

NATSSecurityAuthorizationPublic

Description

The NATS server has emitted an Permission Violation log entry, meaning

a client attempted to publish or subscribe to a subject for which it lacks

permission.

Cause

* The client lacks publish/subscribe permissions for the subject it is

using.

Mitigation

• Verify credentials – confirm the `.creds`, NKey, or JWT files in

the client deployment are correct.

• Check permissions – in the server configuration (`authorization {}`)

or the account JWT, ensure the user/account is allowed to perform the

attempted PUB/SUB operation.

• Rotate or re-issue keys/JWTs if credentials are compromised or

expired, and update all clients.

• Audit repeated failures – turn on verbose server logs temporarily

and review for malicious activity or configuration drift.

References

• https://docs.nats.io/running-a-nats-service/configuration/securing_nats/authorization