CVE-2026-33248
published 2026-03-25CVE-2026-33248: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for…
PriorityP425medium4.2CVSS 3.1
AVNACHPRLUINSUCLILAN
EPSS
0.14%
4.0th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| nats-io | nats-server | < 2.11.15 | 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.14.2MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
osv4.2MEDIUM
vendor_debian4.2MEDIUM
vendor_redhat4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching in github.com/nats-io/nats-server
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching in github.com/nats-io/nats-server
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching in github.com/nats-io/nats-server
OSV
CVE-2026-33248: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 4.2
CVE-2026-33248 [MEDIUM] CVE-2026-33248: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
OSV
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
osv·2026-03-24
CVE-2026-33248 [MEDIUM] NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
### Problem Description
When using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely.
So this is
GHSA
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
ghsa·2026-03-24
CVE-2026-33248 [MEDIUM] CWE-287 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
### Problem Description
When using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely.
So this is
Red Hat
github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification
vendor_redhat·2026-03-25·CVSS 4.2
CVE-2026-33248 [MEDIUM] CWE-289 github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification
github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns
Debian
CVE-2026-33248: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 4.2
CVE-2026-33248 [MEDIUM] CVE-2026-33248: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
Scope:
No detection rules found.
No public exploits indexed.
2026-03-25
Published