{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33248", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-25T20:18:28.923Z", "dateUpdated": "2026-03-26T19:52:12.357Z"}, "containers": {"cna": {"title": "NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-13.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:18:28.923Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}], "source": {"advisory": "GHSA-3f24-pcvm-5jqc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:35:03.328665Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.357Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}], "id": "CVE-2026-33248", "lastModified": "2026-03-26T16:22:06.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:47.563", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification", "id": "2451484", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451484"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-289", "details": ["A flaw was found in NATS-Server, a high-performance messaging system. When configured to use mutual Transport Layer Security (mTLS) for client identity, and specifically the `verify_and_map` feature, certain patterns within a client certificate's Subject Distinguished Name (DN) were not correctly enforced. This could allow an attacker, possessing a valid certificate from a trusted Certificate Authority (CA), to bypass the intended identity verification. Consequently, this could lead to unauthorized access, although the attack requires highly specific and unlikely DN naming patterns."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33248", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T20:18:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33248\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33248\nhttps://advisories.nats.io/CVE/secnote-2026-13.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-RC.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T03:17:23.921718+00:00", "value": {"mitigation_remediation": ["Upgrade nats-server to version 2.11.15 or later, preferably 2.12.6 or newer, which contain the fix for the Subject DN matching logic.", "Restrict client certificate issuance to avoid uncommon DN patterns that could trigger the bug, and review existing certificates for compliance.", "If upgrading is not immediately possible, consider disabling the verify_and_map configuration or enforcing stricter DN validation manually.", "Monitor authentication logs for anomalous identity mapping or unauthorized client activity."], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Product nats-io nats-server is affected in all releases before 2.11.15 and 2.12.6 when the verify_and_map option is enabled for mTLS client connections. Administrators configuring mTLS with client certificates issued by a trusted CA and relying on Subject DN mapping are the ones at risk. Versions 2.11.15, 2.12.6, and later contain a fix that correctly enforces DN matching requirements.", "description_and_impact": "NATS-Server's use of mTLS with the verify_and_map configuration allows clients to have their identity derived from the certificate's Subject DN. A flaw in the subject DN matching logic permits certain uncommon distinguished name patterns to be accepted incorrectly, enabling a client that holds a valid certificate trusted by the server to masquerade as another identity. This constitutes an authentication bypass that could allow that client to gain unauthorized access to NATS services, potentially exposing confidential messages or altering system state. The vulnerability does not provide direct remote code execution but threatens confidentiality and integrity through credential misuse.", "risk_and_exploitability": "The CVSS base score of 4.2 indicates a low overall severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting that widespread exploitation is not known. The attack requires an attacker to possess a legitimate client certificate from a CA already trusted by the server, and to craft a DN pattern that the server incorrectly accepts. Because such DN constructions are considered highly unlikely by the maintainers, the practical risk is low, yet administrators using complex or atypical DN templates should be aware and verify that their certificates cannot be forged to map to other identities."}}}}, "created": "2026-03-25T21:46:13.312022+00:00", "updated": "2026-03-26T12:09:37.595961+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}