Any account can take an Import token used by any other account and re-use it for themselves because the binding to the importing account is not rejected, and use it to import *any* Subject from the Exporting account, not just the Subject referenced in the Import Token. Upstream Advisory: https://advisories.nats.io/CVE/CVE-2021-3127.txt
Created nats-server tracking bugs for this issue: Affects: fedora-all [bug 1944544]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3127