CVE-2026-33222

MEDIUM

NATS JetStream Management API - Authorization Bypass

Title source: manual

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c

X_Refsource_Misc x_refsource_misc

https://advisories.nats.io/CVE/secnote-2026-12.txt

Scores

CVSS v3 4.9

EPSS 0.0029

EPSS Percentile 20.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (5)

linuxfoundation/nats-server < 2.11.15

nats-io/nats-server 0Go

nats-io/nats-server 0 - 2.11.15Go

nats-io/nats-server < 2.11.15

nats-io/nats-server >= 2.12.0-RC.1, < 2.12.6

Published Mar 25, 2026

Tracked Since Mar 26, 2026