NATS JetStream has an authorization bypass through its Management API

4.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Basic Information

ID CVE-2026-33222

Source GitHub_M

Published Mar 25, 2026 at 20:10

Modified Mar 26, 2026 at 15:26

Affected Product

Vendor nats-io

Product nats-server

Version < 2.11.15

Affected Versions nats-io nats-server < 2.11.15
nats-io nats-server >= 2.12.0-RC.1, < 2.12.6

CWE Classification

CWE-285

References

{
    "lastseen": "",
    "description": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.",
    "published": "2026-03-25T20:10:51.107Z",
    "modified": "2026-03-26T15:26:11.351Z",
    "type": "cve",
    "title": "NATS JetStream has an authorization bypass through its Management API",
    "source": "GitHub_M",
    "references": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c\nhttps://advisories.nats.io/CVE/secnote-2026-12.txt",
    "id": "CVE-2026-33222",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "nats-io nats-server < 2.11.15\nnats-io nats-server >= 2.12.0-RC.1, < 2.12.6",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nats-server",
    "version": "< 2.11.15",
    "vendor": "nats-io",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

NATS JetStream has an authorization bypass through its Management API_CVE-2026-33222