4.9

CVE-2026-33222

EPSS 0.03%
Veröffentlicht 25.03.2026 20:10:51
Zuletzt bearbeitet 26.03.2026 17:17:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NATS JetStream has an authorization bypass through its Management API

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Nats-server Version < 2.11.15

Linuxfoundation ≫ Nats-server Version >= 2.12.0 < 2.12.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.078

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c

Vendor Advisory

Mitigation

https://advisories.nats.io/CVE/secnote-2026-12.txt

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-33222

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33222

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33222

EUVD