Skip to main content

Red Hat CVE-2026-33222

MEDIUM
Improper Authorization (CWE-285)
2026-03-24 https://github.com/nats-io/nats-server
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 22:01 vuln.today
CVE Published
Mar 24, 2026 - 21:49 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

AnalysisAI

NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. No patch is currently available, requiring administrators to temporarily revoke JetStream restore permissions as a mitigation.

Technical ContextAI

NATS.io is a high-performance pub-sub distributed messaging system widely used in cloud, on-premise, IoT, and edge computing environments. JetStream is the persistent storage subsystem that provides durable message streaming capabilities. The JetStream management API includes backup and restore operations designed to allow administrators to preserve and recover stream data. The vulnerability exists in the restore function's authorization logic, which fails to properly validate that the user's restore permissions are scoped only to specific stream names. This is fundamentally a CWE-285 (Improper Authorization) issue where access control checks do not properly enforce the principle of least privilege. The affected products are identified via CPE as pkg:go/github.com_nats-io_nats-server_v2, indicating the vulnerability is in the Go-based NATS server implementation.

RemediationAI

Upgrade NATS.io nats-server to version v2.12.6 or later on the 2.12 branch, or v2.11.15 or later on the 2.11 branch, as detailed in the vendor advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c. As an interim workaround prior to patching, immediately audit and restrict JetStream restore API permissions, removing restore access from user accounts that do not require it for operational purposes. For multi-tenant environments, enforce explicit per-stream restore permissions at the policy level and implement network segmentation to limit JetStream API access to trusted administrative systems only. Verify the patch is properly applied by checking the server version via the NATS monitoring endpoint post-upgrade.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy