{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33222", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.315Z", "datePublished": "2026-03-25T20:10:51.107Z", "dateUpdated": "2026-03-26T15:26:11.351Z"}, "containers": {"cna": {"title": "NATS JetStream has an authorization bypass through its Management API", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-12.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-12.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:10:51.107Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions."}], "source": {"advisory": "GHSA-9983-vrx2-fg9c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:26:05.405419Z", "id": "CVE-2026-33222", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:26:11.351Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33222", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.315Z", "datePublished": "2026-03-25T20:10:51.107Z", "dateUpdated": "2026-03-26T15:26:11.351Z"}, "containers": {"cna": {"title": "NATS JetStream has an authorization bypass through its Management API", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-12.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-12.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:10:51.107Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions."}], "source": {"advisory": "GHSA-9983-vrx2-fg9c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33222", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T15:26:05.405419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:26:08.142Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions."}], "id": "CVE-2026-33222", "lastModified": "2026-03-26T17:17:38.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:47.237", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-12.txt"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "nats-server: NATS-Server: Unauthorized data modification via JetStream stream restore", "id": "2451480", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451480"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["A flaw was found in NATS-Server, a high-performance messaging system. This vulnerability allows users with JetStream admin API access to restore data from one stream to unintended stream names. This can lead to unauthorized modification or overwriting of data that should have been protected, compromising data integrity."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33222", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T20:10:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33222\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33222\nhttps://advisories.nats.io/CVE/secnote-2026-12.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-RC.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T03:17:44.312370+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to NATS-IO NATS Server 2.11.15 or later, or 2.12.6 or later.", "If immediate patching is not possible, temporarily remove restore permissions from users as a workaround.", "Validate that only necessary JetStream permissions are granted to users and monitor for unauthorized restore attempts.", "Continuously review NATS-IO advisories for updated patches or additional mitigations."], "summary": {"action": "Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Version numbers 2.11.x below 2.11.15 and 2.12.x below 2.12.6 are affected. All deployments of NATS-IO NATS Server using these releases and enabled JetStream functionality are potentially vulnerable. The fix is included in the 2.11.15 and 2.12.6 releases.", "description_and_impact": "NATS-IO NATS Server exposes a flaw in its JetStream Management API that allows a user with JetStream admin permissions to restore data to an arbitrary stream name. This authorization bypass means that data intended to be protected by stream isolation can be overwritten or read by an attacker, violating confidentiality and integrity guarantees.", "risk_and_exploitability": "The CVSS score of 4.9 indicates a low severity rating. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to already possess JetStream admin API credentials, so the attack vector is likely from internal or compromised accounts rather than external remote execution. However, if privileged credentials are compromised, the attacker can recover or corrupt data across streams."}}}}, "created": "2026-03-25T21:46:16.232531+00:00", "updated": "2026-03-26T12:09:40.322287+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}