cbcvebase.
CVE-2026-33222
published 2026-03-25

CVE-2026-33222: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream…

PriorityP429medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.31%
22.2th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiannats-server< nats-server 2.12.6-1 (forky)nats-server 2.12.6-1 (forky)
github.comnats-io_nats-server_v2>= 0 < 2.11.152.11.15
github.comnats-io_nats-server_v2>= 2.12.0-RC.1 < 2.12.62.12.6
linuxfoundationnats-server< 2.11.152.11.15
linuxfoundationnats-server>= 0 < 2.12.6-12.12.6-1
linuxfoundationnats-server>= 2.12.0 < 2.12.62.12.6
nats-ionats-server< 2.11.152.11.15
nats-ionats-server

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
osv4.9MEDIUM
vendor_debian4.9MEDIUM
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.