CVE-2026-33222
published 2026-03-25CVE-2026-33222: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream…
PriorityP429medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.31%
22.2th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| nats-io | nats-server | < 2.11.15 | 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
osv4.9MEDIUM
vendor_debian4.9MEDIUM
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nats-server: NATS-Server: Unauthorized data modification via JetStream stream restore
vendor_redhat·2026-03-25·CVSS 4.9
CVE-2026-33222 [MEDIUM] CWE-639 nats-server: NATS-Server: Unauthorized data modification via JetStream stream restore
nats-server: NATS-Server: Unauthorized data modification via JetStream stream restore
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
A flaw was found in NATS-Server, a high-performance messaging system. This vulnerability allows users with JetStream admin API access to restore data from one stream to unintended stream names. This can lead to unauthorized modification o
Debian
CVE-2026-33222: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 4.9
CVE-2026-33222 [MEDIUM] CVE-2026-33222: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
OSV
NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33222 NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server
NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server
NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server
OSV
CVE-2026-33222: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 4.9
CVE-2026-33222 [MEDIUM] CVE-2026-33222: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
OSV
NATS JetStream has an authorization bypass through its Management API
osv·2026-03-24
CVE-2026-33222 [MEDIUM] NATS JetStream has an authorization bypass through its Management API
NATS JetStream has an authorization bypass through its Management API
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
### Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
GHSA
NATS JetStream has an authorization bypass through its Management API
ghsa·2026-03-24
CVE-2026-33222 [MEDIUM] CWE-285 NATS JetStream has an authorization bypass through its Management API
NATS JetStream has an authorization bypass through its Management API
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
### Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
No detection rules found.
No public exploits indexed.
2026-03-25
Published