CVE-2026-33222Improper Authorization in Nats-server

CWE-285Improper AuthorizationCWE-639Authorization Bypass Through User-Controlled Key8 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
0.0%
top 93.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Nats-io Nats-serverLinuxfoundation Nats-serverGithub.com Nats-io Nats-server V2+1 more
Timeline
PublishedMar 25
Latest updateMar 26

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages5 packages

debiandebian/nats-server< nats-server 2.12.6-1 (forky)
CVEListV5nats-io/nats-server< 2.11.15+1
NVDlinuxfoundation/nats-server2.12.02.12.6+1
Gogithub.com/nats-io_nats-server_v22.12.0-RC.12.12.6+1
Debianlinuxfoundation/nats-server< 2.12.6-1

🔴Vulnerability Details

4
OSV
NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server2026-03-26
OSV
CVE-2026-33222: NATS-Server is a High-Performance server for NATS2026-03-25
OSV
NATS JetStream has an authorization bypass through its Management API2026-03-24
GHSA
NATS JetStream has an authorization bypass through its Management API2026-03-24

📋Vendor Advisories

2
Red Hat
nats-server: NATS-Server: Unauthorized data modification via JetStream stream restore2026-03-25
Debian
CVE-2026-33222: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-33222 Impact, Exploitability, and Mitigation Steps | Wiz