CVE-2026-33222
Last modified
CVE-2026-33222 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Nats-Server | < 2.11.15 |
| Linuxfoundation | Nats-Server | >= 2.12.0, < 2.12.6 |
References
- https://advisories.nats.io/CVE/secnote-2026-12.txtMitigation, Vendor Advisory
- https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9cMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33222?
How severe is CVE-2026-33222?
How do I fix CVE-2026-33222?
Are you affected by CVE-2026-33222?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST