CVE-2026-33222
Improper Access Control in NATS JetStream Restore Function
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
| linuxfoundation | nats-server | to 2.11.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33222 is an authentication bypass vulnerability in the JetStream stream restore endpoint of the NATS.io server. JetStream is a persistent storage feature that includes a management API for backup and restore operations. This vulnerability allows users who have JetStream admin API access to restore one data stream to arbitrary other stream names. As a result, they can potentially modify or overwrite data streams they should not have permission to affect.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker or unauthorized user with JetStream admin API restore permissions to modify or overwrite data streams that should be protected from them. This compromises data integrity by enabling unauthorized changes to persistent data streams. The attack requires network access and high privileges but no user interaction, and it does not affect data confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, administrators should temporarily remove JetStream restore permissions from users who have limited restore privileges. This prevents unauthorized data modification until the system can be upgraded.
Additionally, upgrading the nats-server to versions 2.11.15 or 2.12.6 (or later) will apply the official fix for this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with JetStream admin API access to restore one stream to arbitrary other stream names, potentially modifying or overwriting data streams they should not have permission to affect. This impacts data integrity by allowing unauthorized modification of data.
Such unauthorized modification of data could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require strict controls to protect data integrity and prevent unauthorized access or alteration of sensitive information.
Therefore, until patched versions (2.11.15 and 2.12.6) are applied or permissions are restricted as a workaround, organizations using affected versions may face compliance risks related to data integrity and protection requirements.