Moderate severityNVD Advisory· Published Mar 25, 2026· Updated Mar 26, 2026
NATS JetStream has an authorization bypass through its Management API
CVE-2026-33222
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nats-io/nats-server/v2Go | < 2.11.15 | 2.11.15 |
github.com/nats-io/nats-server/v2Go | >= 2.12.0-RC.1, < 2.12.6 | 2.12.6 |
github.com/nats-io/nats-serverGo | >= 0 | — |
Affected products
39- osv-coords38 versionspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-1.33pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/k3s-static-1.33pkg:apk/chainguard/kinepkg:apk/chainguard/milvus-2.5pkg:apk/chainguard/natspkg:apk/chainguard/nats-fipspkg:apk/chainguard/nats-toppkg:apk/chainguard/nats-top-fipspkg:apk/chainguard/prometheus-nats-exporterpkg:apk/chainguard/prometheus-nats-exporter-fipspkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.34pkg:apk/chainguard/rke2-runtime-1.35pkg:apk/chainguard/rke2-runtime-fips-1.33pkg:apk/chainguard/rke2-runtime-fips-1.34pkg:apk/chainguard/rke2-runtime-fips-1.35pkg:apk/chainguard/telegraf-1.37pkg:apk/chainguard/telegraf-1.38pkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-1.33pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/k3s-static-1.33pkg:apk/wolfi/kinepkg:apk/wolfi/natspkg:apk/wolfi/nats-toppkg:apk/wolfi/prometheus-nats-exporterpkg:apk/wolfi/telegraf-1.37pkg:apk/wolfi/telegraf-1.38pkg:bitnami/natspkg:golang/github.com/nats-io/nats-serverpkg:golang/github.com/nats-io/nats-server/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.35.2.1-r4+ 37 more
- (no CPE)range: < 1.35.2.1-r4
- (no CPE)range: < 1.32.13.1-r7
- (no CPE)range: < 1.33.9.1-r6
- (no CPE)range: < 1.35.2.1-r4
- (no CPE)range: < 1.32.13.1-r7
- (no CPE)range: < 1.33.9.1-r6
- (no CPE)range: < 0.14.15-r1
- (no CPE)range: < 2.5.27-r4
- (no CPE)range: < 0.3.2-r0
- (no CPE)range: < 0.3.2-r0
- (no CPE)range: < 0.6.3-r18
- (no CPE)range: < 0.6.3-r16
- (no CPE)range: < 0.19.1-r4
- (no CPE)range: < 0.19.1-r4
- (no CPE)range: < 1.33.9.2.1-r3
- (no CPE)range: < 1.34.5.2.1-r3
- (no CPE)range: < 1.35.2.2.1-r3
- (no CPE)range: < 1.33.10.2.3-r2
- (no CPE)range: < 1.34.6.2.1-r2
- (no CPE)range: < 1.35.2.2.1-r2
- (no CPE)range: < 1.37.3-r6
- (no CPE)range: < 1.38.1-r1
- (no CPE)range: < 1.35.2.1-r4
- (no CPE)range: < 1.32.13.1-r7
- (no CPE)range: < 1.33.9.1-r6
- (no CPE)range: < 1.35.2.1-r4
- (no CPE)range: < 1.32.13.1-r7
- (no CPE)range: < 1.33.9.1-r6
- (no CPE)range: < 0.14.15-r1
- (no CPE)range: < 0.3.2-r0
- (no CPE)range: < 0.6.3-r18
- (no CPE)range: < 0.19.1-r4
- (no CPE)range: < 1.37.3-r6
- (no CPE)range: < 1.38.1-r1
- (no CPE)range: < 2.11.15
- (no CPE)range: >= 0
- (no CPE)range: < 2.11.15
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: < 2.11.15
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9983-vrx2-fg9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33222ghsaADVISORY
- advisories.nats.io/CVE/secnote-2026-12.txtghsax_refsource_MISCWEB
- github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.