CVE-2026-33248

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://advisories.nats.io/CVE/secnote-2026-13.txt	Vendor Advisory
https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:nats-server::::::::
	cpe:2.3:a:linuxfoundation:nats-server::::::::

History

No history.

Information

Published : 2026-03-25 21:16

Updated : 2026-03-26 16:22

NVD link : CVE-2026-33248

Mitre link : CVE-2026-33248

CVE.ORG link : CVE-2026-33248

JSON object : View

Products Affected

linuxfoundation

nats-server

CWE

CWE-287

Improper Authentication

CWE-295

Improper Certificate Validation

{"id": "CVE-2026-33248", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.6}]}, "published": "2026-03-25T21:16:47.563", "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-13.txt", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del *edge*. Antes de las versiones 2.11.15 y 2.12.6, al usar mTLS para la identidad del cliente, con 'verify_and_map' para derivar una identidad NATS del DN del Asunto del certificado del cliente, ciertos patrones de RDN no se aplicar\u00edan correctamente, permitiendo la omisi\u00f3n de autenticaci\u00f3n. Esto requiere un certificado v\u00e1lido de una CA ya confiable para certificados de cliente, y patrones de nombres de 'DN' que los mantenedores de NATS consideran altamente improbables. Por lo tanto, este es un ataque improbable. No obstante, los administradores que han sido muy sofisticados en sus patrones de construcci\u00f3n de 'DN' podr\u00edan verse afectados. Las versiones 2.11.15 y 2.12.6 contienen una correcci\u00f3n. Como soluci\u00f3n alternativa, los desarrolladores deber\u00edan revisar sus pr\u00e1cticas de emisi\u00f3n de CA."}], "lastModified": "2026-03-26T16:22:06.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15"}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}