← Back to CVEs
CVE-2026-33222
MEDIUM4.9
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
CVE Details
CVSS v3.1 Score4.9
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionNONE
Published3/25/2026
Last Modified3/26/2026
Sourcenvd
Honeypot Sightings0
Affected Products
linuxfoundation:nats-server
Weaknesses (CWE)
CWE-285
References
https://advisories.nats.io/CVE/secnote-2026-12.txt(security-advisories@github.com)
https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.