CVE-2026-33222
Received Received - Intake
Improper Access Control in NATS JetStream Restore Function

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33222
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33222 is an authentication bypass vulnerability in the JetStream stream restore endpoint of the NATS.io server. JetStream is a persistent storage feature that includes a management API for backup and restore operations. This vulnerability allows users who have JetStream admin API access to restore one data stream to arbitrary other stream names. As a result, they can potentially modify or overwrite data streams they should not have permission to affect.

Impact Analysis

This vulnerability can impact you by allowing an attacker or unauthorized user with JetStream admin API restore permissions to modify or overwrite data streams that should be protected from them. This compromises data integrity by enabling unauthorized changes to persistent data streams. The attack requires network access and high privileges but no user interaction, and it does not affect data confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability immediately, administrators should temporarily remove JetStream restore permissions from users who have limited restore privileges. This prevents unauthorized data modification until the system can be upgraded.

Additionally, upgrading the nats-server to versions 2.11.15 or 2.12.6 (or later) will apply the official fix for this vulnerability.

Compliance Impact

The vulnerability allows users with JetStream admin API access to restore one stream to arbitrary other stream names, potentially modifying or overwriting data streams they should not have permission to affect. This impacts data integrity by allowing unauthorized modification of data.

Such unauthorized modification of data could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require strict controls to protect data integrity and prevent unauthorized access or alteration of sensitive information.

Therefore, until patched versions (2.11.15 and 2.12.6) are applied or permissions are restricted as a workaround, organizations using affected versions may face compliance risks related to data integrity and protection requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart