Primary

Context

NATS-Server JetStream Stream Restore Endpoint Authorization Bypass Vulnerability

Vulnerability

Patched

An authorization bypass vulnerability has been identified in NATS-Server versions prior to 2.11.15 and 2.12.6. This vulnerability allows users with JetStream admin API access to restore one stream to other stream names, potentially overwriting data that should have been protected. The issue arises in the JetStream management API, which includes backup and restore features.

Impact

Exploitation of this vulnerability could lead to unauthorized data modification by allowing users to restore streams to names that overwrite protected data.

Remediation

Users can upgrade to NATS-Server versions 2.12.6 or 2.11.15. If users have been granted limited JetStream restore permissions, those permissions should be temporarily removed.

Added: Mar 25, 2026, 9:57 PM

Updated: Mar 25, 2026, 9:57 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

5.2

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

5.2

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NATS-Server JetStream Stream Restore Endpoint Authorization Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

NATS-Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating