CVE-2026-33222
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore. ### Problem Description Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. ### Affected Versions Any version before v2.12.6 or v2.11.15 ### Workarounds If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
Analysis
NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today