CVE-2026-33222

描述

### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore. ### Problem Description Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. ### Affected Versions Any version before v2.12.6 or v2.11.15 ### Workarounds If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

受影響套件(6)

• Bitnami/natsfrom 0, < 2.11.15, >= 2.12.0, < 2.12.6
• Debian/nats-serverfrom 0
• Go/github.com/nats-io/nats-serverfrom 0
• Go/github.com/nats-io/nats-serverfrom 0
• Go/github.com/nats-io/nats-server/v2from 0, < 2.11.15
• Go/github.com/nats-io/nats-server/v2from 0, < 2.11.15, >= 2.12.0-RC.1, < 2.12.6

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33222
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-33222
• PATCHhttps://github.com/nats-io/nats-server
• WEBhttps://advisories.nats.io/CVE/secnote-2026-12.txt
• WEBhttps://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c