CVE-2026-33222 is a medium-severity improper authorization vulnerability (CWE-285) in the nats-io nats-server, a high-performance messaging server used in cloud and edge native environments. The flaw exists in the JetStream admin API restore functionality, where users granted permission to restore one stream can exploit the vulnerability to restore data to other stream names beyond their authorization scope. This improper authorization allows modification of data streams that should be protected, compromising data integrity. The vulnerability affects nats-server versions prior to 2.11.15 and versions from 2.12.0-RC.1 up to but not including 2.12.6. Exploitation requires network access and high privileges (JetStream admin API access), but no user interaction is necessary. The vulnerability does not impact confidentiality or availability but can lead to unauthorized data alteration. The issue was addressed in versions 2.11.15 and 2.12.6 by correcting authorization checks in the restore API. As a temporary mitigation, administrators are advised to remove or restrict JetStream restore permissions for users until they can upgrade. No known exploits are reported in the wild as of the publication date.

The primary impact of CVE-2026-33222 is on data integrity within systems using nats-server with JetStream enabled. Unauthorized restoration of streams under incorrect names can lead to data corruption or overwriting of critical messaging streams, potentially disrupting application workflows that depend on accurate message delivery and storage. While confidentiality and availability are not directly affected, the integrity compromise can undermine trust in messaging data and cause operational issues in distributed systems relying on NATS for event streaming and messaging. Organizations using affected versions in production environments, especially those with multi-tenant or segmented data streams, face risks of unauthorized data modification by users with elevated JetStream restore permissions. This could lead to compliance violations, data loss, or application errors. The medium CVSS score reflects the need for timely patching but indicates that exploitation requires privileged access, limiting the attack surface to insiders or compromised accounts with high-level permissions.

1. Upgrade affected nats-server instances to version 2.11.15 or 2.12.6 or later, where the authorization flaw is fixed. 2. Temporarily revoke or restrict JetStream restore permissions for users until the upgrade can be applied, especially for users with limited restore permissions. 3. Audit current JetStream admin API permissions to ensure only trusted and necessary users have restore capabilities. 4. Implement strict access controls and monitoring on JetStream API usage to detect anomalous restore operations. 5. Use network segmentation and firewall rules to limit access to nats-server endpoints to authorized administrators only. 6. Regularly review and update nats-server configurations to follow the principle of least privilege. 7. Monitor vendor advisories and community forums for any emerging exploit techniques or patches related to this vulnerability.