Medium severity6.3GHSA Advisory· Published Jul 11, 2024· Updated Apr 15, 2026

CVE-2022-29946

Description

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 fail to enforce negative user permissions when a queue subscription on a wildcard is used, allowing subject access bypass.

Vulnerability

Overview

NATS.io NATS Server before version 2.8.2 and Streaming Server before version 0.24.6 contain a vulnerability in the permission enforcement mechanism. The root cause is the failure to enforce negative user permissions in a specific scenario involving queue subscriptions on wildcard subjects [1][2].

Exploitation

Conditions

A remote attacker can exploit this vulnerability by establishing a queue subscription on a wildcard subject. The attacker must have network access to the NATS server and valid user credentials. The attack does not require any special privileges beyond being an authenticated user. The server fails to apply configured denys (negative permissions) when processing queue subscriptions against wildcard patterns [1][3].

Impact

Successful exploitation allows an attacker to bypass security restrictions and access subjects that should be denied by the user's permissions. This could lead to unauthorized reading of messages or publication to subjects that the administrator intended to restrict [2].

Mitigation

The vulnerability has been patched in NATS Server 2.8.2 and NATS Streaming Server 0.24.6. Users are strongly recommended to upgrade to these versions or later. There is no evidence of active exploitation in the wild, and the CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/nats-io/nats-server/v2Go	< 2.8.2	2.8.2
github.com/nats-io/nats-streaming-serverGo	< 0.24.6	0.24.6

Affected products

Nats Io/Nats Streaming ServerGHSA
Range: < 0.24.6
ghsa-coords2 versions
pkg:golang/github.com/nats-io/nats-server/v2 pkg:golang/github.com/nats-io/nats-streaming-server
< 2.8.2+ 1 more
- (no CPE)range: < 2.8.2
- (no CPE)range: < 0.24.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-2h2x-8hh2-mfq8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-29946ghsaADVISORY
github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txtnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000