Moderate severityNVD Advisory· Published Mar 25, 2026· Updated Mar 26, 2026
NATS JetStream has an authorization bypass through its Management API
CVE-2026-33222
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nats-io/nats-server/v2Go | < 2.11.15 | 2.11.15 |
github.com/nats-io/nats-server/v2Go | >= 2.12.0-RC.1, < 2.12.6 | 2.12.6 |
github.com/nats-io/nats-serverGo | >= 0 | — |
Affected products
1- Range: < 2.11.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9983-vrx2-fg9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33222ghsaADVISORY
- advisories.nats.io/CVE/secnote-2026-12.txtghsax_refsource_MISCWEB
- github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.