Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Published: 2026-03-25
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation (Authorization Bypass)
Action: Apply patch
AI Analysis

Impact

An authorization bypass vulnerability was discovered in NATS-Server’s JetStream management API. The flaw allows an attacker who has JetStream admin API access to one stream to restore data into an entirely different stream, exposing data that should remain isolated and compromising confidentiality. The weakness reflects improper authorization checks (CWE-285) and incorrect handling of restore permissions (CWE-639).

Affected Systems

Vulnerable versions of the NATS-Server from nats-io include all releases prior to 2.11.15 on the 2.11.x branch and prior to 2.12.6 on the 2.12.x branch. The issue affects the Linux Foundation’s NATS Server, a high‑performance messaging platform used in cloud and edge environments.

Risk and Exploitability

The CVSS v3.1 score is 4.9, indicating moderate severity. The Exploit Prediction Scoring System estimates a less than 1 percent probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires an attacker to already have JetStream restore permissions; broad or overly generous access increases risk. Updating the server or restricting restore rights mitigates the threat.

Generated by OpenCVE AI on March 26, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NATS-Server to version 2.11.15 or later, or 2.12.6 or later.
  • If an upgrade cannot be performed immediately, temporarily remove JetStream restore permissions from users or restrict restore access to only the streams that require it.
  • Verify the current server version to confirm that the fix has been applied.
  • Monitor access logs for any unauthorized JetStream restore attempts.

Generated by OpenCVE AI on March 26, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9983-vrx2-fg9c NATS JetStream has an authorization bypass through its Management API
History

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Title NATS JetStream has an authorization bypass through its Management API
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:26:11.351Z

Reserved: 2026-03-17T23:23:58.315Z

Link: CVE-2026-33222

cve-icon Vulnrichment

Updated: 2026-03-26T15:26:08.142Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:47.237

Modified: 2026-03-26T17:17:38.877

Link: CVE-2026-33222

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T20:10:51Z

Links: CVE-2026-33222 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:50Z

Weaknesses