Missing Authorization in nats-server - CVE-2021-3127

 

Missing Authorization in nats-server - CVE-2021-3127

Published: March 24, 2021 / Updated: June 30, 2026


Vulnerability identifier: #VU135923
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-3127
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: NATS - The Cloud Native Messaging System
Affected software:
nats-server

Detailed vulnerability description

The vulnerability allows a remote user to access subjects from another account.

The vulnerability exists due to improper access control in import token permission checking when processing tampered account JWTs with import tokens. A remote user can upload a tampered account JWT that reuses an import token from another account to access subjects from the exporting account.

Exploitation requires deployments where untrusted accounts are able to update the account server with imports, and private exports are in use.


How to mitigate CVE-2021-3127

Install security update from vendor's website.

Sources