CVE-2026-33222

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server, a high-performance server for NATS.io, contains an issue where users with JetStream admin API access to restore one stream could restore to other stream names. This could impact data that should have been protected from unauthorized access. The JetStream management API, which includes backup and restore functionality, is affected.

Recommendations Update to version 2.11.15 or later. Update to version 2.12.6 or later. If limited JetStream restore permissions are configured for users, temporarily remove those permissions.

Exploit

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

BIT-NATS-2026-33222

CVE-2026-33222

GHSA-9983-VRX2-FG9C

GO-2026-4832

SUSE-SU-2026:1135-1

Affected Products

Nats Server

CVE-2026-33222

Weakness Enumeration

Related Identifiers

Affected Products

References · 156