CVE-2022-24450
Description
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users in NATS nats-server before 2.7.2 can escalate to System account privileges via a bug in the sandbox accounts feature.
Vulnerability
A coding error in the experimental "dynamically provisioned sandbox accounts" feature of NATS nats-server allows any authenticated user to assume the privileges of any other account, including the System account. The bug exists in all 2.x versions up to and including 2.7.1, and in NATS Streaming Server versions v0.15.0 through v0.24.0 (which embed the affected server). The feature was never documented or supported in client libraries, but remained in the code and was used in tests [2][3].
Exploitation
An attacker with valid credentials for any account can, during the initial protocol-level handshake, specify a target account (such as the System account) and be immediately assigned into that account. No additional privileges or user interaction are required beyond possessing valid credentials for any tenant [2][3].
Impact
Successful exploitation grants the attacker full control over the System account, which governs core nats-server operations. This includes the ability to manage accounts, subjects, and other administrative functions, effectively compromising the entire NATS deployment [2][3].
Mitigation
The vulnerability is fixed in nats-server version 2.7.2 and nats-streaming-server version 0.24.1. The fix removes the experimental feature entirely. No workaround is available; upgrading to the patched versions is the only mitigation [2][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nats-io/nats-server/v2Go | >= 2.0.0, < 2.7.2 | 2.7.2 |
github.com/nats-io/nats-streaming-serverGo | >= 0.15.0, < 0.24.1 | 0.24.1 |
Affected products
4- NATS/nats-serverdescription
- osv-coords3 versionspkg:bitnami/natspkg:golang/github.com/nats-io/nats-server/v2pkg:golang/github.com/nats-io/nats-streaming-server
>= 2.0.0, < 2.7.2+ 2 more
- (no CPE)range: >= 2.0.0, < 2.7.2
- (no CPE)range: >= 2.0.0, < 2.7.2
- (no CPE)range: >= 0.15.0, < 0.24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g6w6-r76c-28j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24450ghsaADVISORY
- advisories.nats.io/CVE/CVE-2022-24450.txtghsax_refsource_CONFIRMWEB
- github.com/nats-io/nats-server/releases/tag/v2.7.2ghsax_refsource_MISCWEB
- github.com/nats-io/nats-server/security/advisories/GHSA-g6w6-r76c-28j7ghsaWEB
News mentions
0No linked articles in our index yet.