Any account can take an Import token used by any other account and re-use it for themselves because the binding to the importing account is not rejected, and use it to import *any* Subject from the Exporting account, not just the Subject referenced in the Import Token.
Created nats-server tracking bugs for this issue:
Affects: fedora-all [bug 1944544]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):