logo

Database

Improper authorization control for web services In github.com/nats-io/nats-server/v2

Description

NATS JetStream has an authorization bypass through its Management API

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-332222. NVD-2026-332223. OSV-2026-332224. GHSA-9983-vrx2-fg9c5. GCVE-2026-33222

References

1. https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c2. https://advisories.nats.io/CVE/secnote-2026-12.txt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.