CVE-2026-33248
Authentication Bypass in NATS-Server mTLS DN Verification
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
| linuxfoundation | nats-server | to 2.11.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authentication bypass in the mTLS client identity verification process under specific and unlikely conditions, potentially weakening the authentication controls of the NATS server.
Since authentication is a fundamental security control required by many standards and regulations such as GDPR and HIPAA, this flaw could impact compliance by undermining the assurance that only authorized clients can access the system.
However, the attack requires a valid client certificate from a trusted Certificate Authority and unusual Distinguished Name patterns, making exploitation improbable in typical deployments.
Administrators are advised to review and tighten their CA certificate issuance practices to mitigate this risk and maintain compliance with security requirements.
Can you explain this vulnerability to me?
CVE-2026-33248 is a security vulnerability in the NATS-Server's mTLS client identity authentication mechanism. It occurs when using the verify_and_map feature to derive a NATS identity from the TLS client certificate's Subject Distinguished Name (DN). Certain Relative Distinguished Name (RDN) patterns within the Subject DN are not properly enforced, which can allow an attacker to bypass authentication.
Exploitation requires the attacker to have a valid client certificate issued by a trusted Certificate Authority (CA) and to exploit specific DN naming patterns that are considered highly unlikely by the NATS maintainers. This makes the attack improbable but possible in sophisticated DN configurations.
The vulnerability affects all NATS server versions prior to 2.11.15 and 2.12.6, where a fix has been applied.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication in the NATS server when using mTLS with the verify_and_map method. This means an attacker with a valid client certificate from a trusted CA and exploiting unusual DN naming patterns could gain unauthorized access.
The impact on confidentiality and integrity is considered low, and there is no impact on availability. The attack complexity is high, requiring low privileges and no user interaction.
Administrators who use sophisticated DN construction patterns or have lax CA certificate issuance practices might be more at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authentication bypass in the mTLS client identity verification process when using the verify_and_map method with certain Relative Distinguished Name (RDN) patterns in the client certificate's Subject DN. Detection would require inspecting the NATS server configuration and client certificate usage to identify if verify_and_map is used and if client certificates have unusual or sophisticated DN naming patterns that might be exploited.
No specific detection commands or network scanning commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the NATS server to version 2.11.15 or 2.12.6 or later, where the issue is fixed.
As a workaround, review and tighten your Certificate Authority (CA) certificate issuance practices to ensure that client certificates do not use the problematic DN naming patterns that could be exploited.