GHSA-9983-VRX2-FG9C
Vulnerability from github – Published: 2026-03-24 21:49 – Updated: 2026-03-24 21:49
VLAI?
Summary
NATS JetStream has an authorization bypass through its Management API
Details
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Severity ?
4.9 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33222"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:49:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.\n\n### Problem Description\n\nUsers with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nIf developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.",
"id": "GHSA-9983-vrx2-fg9c",
"modified": "2026-03-24T21:49:35Z",
"published": "2026-03-24T21:49:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-12.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "NATS JetStream has an authorization bypass through its Management API"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…