Red Hat CVE-2026-33222
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
AnalysisAI
NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. No patch is currently available, requiring administrators to temporarily revoke JetStream restore permissions as a mitigation.
Technical ContextAI
NATS.io is a high-performance pub-sub distributed messaging system widely used in cloud, on-premise, IoT, and edge computing environments. JetStream is the persistent storage subsystem that provides durable message streaming capabilities. The JetStream management API includes backup and restore operations designed to allow administrators to preserve and recover stream data. The vulnerability exists in the restore function's authorization logic, which fails to properly validate that the user's restore permissions are scoped only to specific stream names. This is fundamentally a CWE-285 (Improper Authorization) issue where access control checks do not properly enforce the principle of least privilege. The affected products are identified via CPE as pkg:go/github.com_nats-io_nats-server_v2, indicating the vulnerability is in the Go-based NATS server implementation.
RemediationAI
Upgrade NATS.io nats-server to version v2.12.6 or later on the 2.12 branch, or v2.11.15 or later on the 2.11 branch, as detailed in the vendor advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c. As an interim workaround prior to patching, immediately audit and restrict JetStream restore API permissions, removing restore access from user accounts that do not require it for operational purposes. For multi-tenant environments, enforce explicit per-stream restore permissions at the policy level and implement network segmentation to limit JetStream API access to trusted administrative systems only. Verify the patch is properly applied by checking the server version via the NATS monitoring endpoint post-upgrade.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today