Missing Authorization in nats-server - CVE-2021-3127
Published: March 24, 2021 / Updated: June 30, 2026
nats-server
Detailed vulnerability description
The vulnerability allows a remote user to access subjects from another account.
The vulnerability exists due to improper access control in import token permission checking when processing tampered account JWTs with import tokens. A remote user can upload a tampered account JWT that reuses an import token from another account to access subjects from the exporting account.
Exploitation requires deployments where untrusted accounts are able to update the account server with imports, and private exports are in use.