CVE-2026-33248
Received Received - Intake
Authentication Bypass in NATS-Server mTLS DN Verification

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33248
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33248 is a security vulnerability in the NATS-Server's mTLS client identity authentication mechanism. It occurs when using the verify_and_map feature to derive a NATS identity from the TLS client certificate's Subject Distinguished Name (DN). Certain Relative Distinguished Name (RDN) patterns within the Subject DN are not properly enforced, which can allow an attacker to bypass authentication.

Exploitation requires the attacker to have a valid client certificate issued by a trusted Certificate Authority (CA) and to exploit specific DN naming patterns that are considered highly unlikely by the NATS maintainers. This makes the attack improbable but possible in sophisticated DN configurations.

The vulnerability affects all NATS server versions prior to 2.11.15 and 2.12.6, where a fix has been applied.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication in the NATS server when using mTLS with the verify_and_map method. This means an attacker with a valid client certificate from a trusted CA and exploiting unusual DN naming patterns could gain unauthorized access.

The impact on confidentiality and integrity is considered low, and there is no impact on availability. The attack complexity is high, requiring low privileges and no user interaction.

Administrators who use sophisticated DN construction patterns or have lax CA certificate issuance practices might be more at risk.

Detection Guidance

This vulnerability involves an authentication bypass in the mTLS client identity verification process when using the verify_and_map method with certain Relative Distinguished Name (RDN) patterns in the client certificate's Subject DN. Detection would require inspecting the NATS server configuration and client certificate usage to identify if verify_and_map is used and if client certificates have unusual or sophisticated DN naming patterns that might be exploited.

No specific detection commands or network scanning commands are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade the NATS server to version 2.11.15 or 2.12.6 or later, where the issue is fixed.

As a workaround, review and tighten your Certificate Authority (CA) certificate issuance practices to ensure that client certificates do not use the problematic DN naming patterns that could be exploited.

Compliance Impact

This vulnerability allows an authentication bypass in the mTLS client identity verification process under specific and unlikely conditions, potentially weakening the authentication controls of the NATS server.

Since authentication is a fundamental security control required by many standards and regulations such as GDPR and HIPAA, this flaw could impact compliance by undermining the assurance that only authorized clients can access the system.

However, the attack requires a valid client certificate from a trusted Certificate Authority and unusual Distinguished Name patterns, making exploitation improbable in typical deployments.

Administrators are advised to review and tighten their CA certificate issuance practices to mitigate this risk and maintain compliance with security requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart