CVE-2026-33222

{"id": "CVE-2026-33222", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2026-03-25T21:16:47.237", "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-12.txt", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, los usuarios con acceso a la API de administraci\u00f3n de JetStream para restaurar un stream pod\u00edan restaurar a otros nombres de stream, lo que afectaba a los datos que deber\u00edan haber estado protegidos contra ellos. Las versiones 2.11.15 y 2.12.6 contienen una correcci\u00f3n. Como soluci\u00f3n alternativa, si los desarrolladores han configurado a los usuarios para tener permisos limitados de restauraci\u00f3n de JetStream, eliminen temporalmente esos permisos."}], "lastModified": "2026-03-26T17:17:38.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15"}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}