CVE-2026-33222
NATS JetStream has an authorization bypass through its Management API
4.9
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
How to fix CVE-2026-33222
To remediate CVE-2026-33222, upgrade the affected package to a fixed version below.
- —upgrade to 2.11.15 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 2.11.15 or later
- —upgrade to 2.11.15 or later
Is CVE-2026-33222 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.11.15, >= 2.12.0, < 2.12.6
- from 0
- from 0
- from 0
- from 0, < 2.11.15
- from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |