{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.2.0" }, { "fixed": "2.7.4" } ] }, "events": [ { "introduced": "0e3c7230e4b7c85795592f74a62351f6fe22fcbd" }, { "fixed": "a86b84a9f35168973d910f462b8d03f77699b34f" } ], "repo": "https://github.com/nats-io/nats-server", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0.15.0" }, { "fixed": "0.24.3" } ] }, "events": [ { "introduced": "2a67132e38c3fb3ace0bb2b8c0a71d8f08380e67" }, { "fixed": "4202e6a727aa32e638e6ce205c0bc054e74b4643" } ], "repo": "https://github.com/nats-io/nats-streaming-server", "type": "GIT" } ] } ], "details": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.", "id": "CVE-2022-26652", "modified": "2026-04-01T23:08:36.413055440Z", "published": "2022-03-10T17:47:51.470Z", "references": [ { "type": "ADVISORY", "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1" }, { "type": "ADVISORY", "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt" }, { "type": "ADVISORY", "url": "https://github.com/nats-io/nats-server/releases" }, { "type": "ADVISORY", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68" } ], "related": [ "GHSA-6h3m-36w8-hv68" ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ] }