GHSA-9983-vrx2-fg9c

Source

https://github.com/advisories/GHSA-9983-vrx2-fg9c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9983-vrx2-fg9c/GHSA-9983-vrx2-fg9c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9983-vrx2-fg9c

Aliases

Downstream

MINI-46vg-jqq2-v8p3

Related

CGA-jmv6-q4fp-447v

Published

2026-03-24T21:49:34Z

Modified

2026-03-27T22:16:20.324543Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

NATS JetStream has an authorization bypass through its Management API

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285"
    ],
    "nvd_published_at": "2026-03-25T21:16:47Z",
    "github_reviewed_at": "2026-03-24T21:49:34Z",
    "severity": "MODERATE"
}

References

Affected packages

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9983-vrx2-fg9c/GHSA-9983-vrx2-fg9c.json"

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.12.0-RC.1

Fixed

2.12.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9983-vrx2-fg9c/GHSA-9983-vrx2-fg9c.json"

Go / github.com/nats-io/nats-server

Package

Name: github.com/nats-io/nats-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9983-vrx2-fg9c/GHSA-9983-vrx2-fg9c.json"