CVE-2026-33222 Overview
CVE-2026-33222 affects NATS-Server, the high-performance messaging server for NATS.io used in cloud and edge native messaging deployments. The vulnerability allows users holding JetStream admin API permissions scoped to restore a single stream to instead restore data to other stream names. This authorization flaw [CWE-285] breaks the isolation boundary that operators rely on when delegating restore privileges. Affected operators can overwrite or replace streams they were never authorized to modify, undermining data integrity guarantees in multi-tenant deployments. The Linux Foundation released fixed builds in versions 2.11.15 and 2.12.6.
Critical Impact
Authenticated users with narrowly scoped JetStream restore permissions can write data into arbitrary stream names, violating tenant isolation and integrity protections in NATS messaging deployments.
Affected Products
- NATS-Server versions prior to 2.11.15 (2.11.x branch)
- NATS-Server versions prior to 2.12.6 (2.12.x branch)
- Deployments using JetStream with delegated restore permissions
Discovery Timeline
- 2026-03-25 - CVE-2026-33222 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33222
Vulnerability Analysis
NATS JetStream provides persistent messaging on top of the NATS core, including administrative APIs for backing up and restoring streams. Operators can grant fine-grained permissions that limit a user to restoring a specific stream. The server fails to enforce that restriction at the point where the restore target stream name is resolved. A user authorized to restore stream A can submit a restore request that targets stream B and the operation completes. This is an improper authorization issue [CWE-285] rather than an authentication weakness, since the attacker must already hold valid credentials with JetStream admin API access. The integrity impact is significant because restore operations replace stream contents, so an attacker can overwrite production data in streams belonging to other tenants or applications.
Root Cause
The permission check validates that the caller may invoke a restore operation but does not verify that the destination stream name matches the stream the caller was authorized to restore. The mismatch between the granted scope and the enforced scope allows the restore payload to be redirected to any stream name accepted by the JetStream API.
Attack Vector
The vulnerability is reachable over the network through the standard JetStream admin API. Exploitation requires authenticated access with a NATS user account that holds restore permissions on at least one stream. No user interaction is required, and the attack does not require elevated server privileges beyond the existing JetStream admin grant. Confidentiality and availability are not directly affected, but integrity of arbitrary streams is at risk.
For the authoritative technical write-up, see the NATS Security Advisory CVE-2026-12 and the GitHub Advisory GHSA-9983-vrx2-fg9c.
Detection Methods for CVE-2026-33222
Indicators of Compromise
- JetStream restore API calls where the target stream name differs from streams the calling user is documented to own or manage.
- Unexpected stream content replacement events or stream state resets correlated with $JS.API.STREAM.RESTORE activity.
- Restore operations initiated by accounts that historically only publish or consume messages.
Detection Strategies
- Audit NATS server logs for $JS.API.STREAM.RESTORE.* subjects and correlate the authenticated user with the destination stream name.
- Compare each restore request against an allow-list of (user, stream) pairs derived from the deployed permissions configuration.
- Alert on any restore operation that targets a stream not previously associated with the calling credential.
Monitoring Recommendations
- Forward NATS server and JetStream audit logs to a centralized logging or SIEM pipeline for retention and correlation.
- Track stream metadata changes including created timestamps and message counts to identify unauthorized overwrites.
- Establish a baseline of legitimate restore activity per environment so anomalous targets stand out.
How to Mitigate CVE-2026-33222
Immediate Actions Required
- Upgrade NATS-Server to 2.11.15 or 2.12.6 or later across all cluster members and leaf nodes.
- Inventory all NATS user accounts that hold JetStream restore permissions and validate they are still required.
- Rotate credentials for any account whose restore activity cannot be reconciled with authorized stream ownership.
Patch Information
The maintainers fixed the authorization check in NATS-Server 2.11.15 and 2.12.6. The patched releases enforce that the destination stream name in a restore request matches the stream the caller was permitted to restore. Patch details and release notes are available in the GitHub Advisory GHSA-9983-vrx2-fg9c.
Workarounds
- If upgrading immediately is not possible, temporarily remove JetStream restore permissions from all non-administrative users as recommended in the NATS Security Advisory CVE-2026-12.
- Restrict JetStream admin API access to a small set of trusted operator accounts protected by strong authentication.
- Take stream snapshots and store them outside the cluster so unauthorized restores can be detected and reversed.
# Verify the running NATS-Server version on each node
nats-server --version
# Example: revoke JetStream restore permissions in an NSC-managed account
nsc edit user --account APP --name restore-user \
--rm-allow-pub '$JS.API.STREAM.RESTORE.>'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
