CVE-2026-33222
Received Received - Intake

Improper Access Control in NATS JetStream Restore Function

Vulnerability report for CVE-2026-33222, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-07-06
AI Q&A
2026-03-26
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-33222 is an authentication bypass vulnerability in the JetStream stream restore endpoint of the NATS.io server. JetStream is a persistent storage feature that includes a management API for backup and restore operations. This vulnerability allows users who have JetStream admin API access to restore one data stream to arbitrary other stream names. As a result, they can potentially modify or overwrite data streams they should not have permission to affect.

Impact Analysis

This vulnerability can impact you by allowing an attacker or unauthorized user with JetStream admin API restore permissions to modify or overwrite data streams that should be protected from them. This compromises data integrity by enabling unauthorized changes to persistent data streams. The attack requires network access and high privileges but no user interaction, and it does not affect data confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability immediately, administrators should temporarily remove JetStream restore permissions from users who have limited restore privileges. This prevents unauthorized data modification until the system can be upgraded.

Additionally, upgrading the nats-server to versions 2.11.15 or 2.12.6 (or later) will apply the official fix for this vulnerability.

Compliance Impact

The vulnerability allows users with JetStream admin API access to restore one stream to arbitrary other stream names, potentially modifying or overwriting data streams they should not have permission to affect. This impacts data integrity by allowing unauthorized modification of data.

Such unauthorized modification of data could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require strict controls to protect data integrity and prevent unauthorized access or alteration of sensitive information.

Therefore, until patched versions (2.11.15 and 2.12.6) are applied or permissions are restricted as a workaround, organizations using affected versions may face compliance risks related to data integrity and protection requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart