CVE-2026-33248 - Vulnerability Details

- NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.

Published: 2026-03-25

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in client authentication when NATS Server uses the verify_and_map method to map a client’s identity from their certificate’s Subject Distinguished Name (DN). The logic that validates the DN does not correctly enforce certain relative DN (RDN) patterns, allowing a certificate that nominally conforms to the trusted CA requirements but contains an unexpected RDN arrangement to be accepted. An attacker who can obtain a certificate issued by a trusted CA and craft the DN to exploit the pattern regression can trick the server into creating a NATS identity that matches a legitimate user, thereby bypassing authentication and gaining ownership of that identity’s messaging permissions. Although the vulnerability requires a valid CA‑issued certificate and a highly unlikely DN pattern, the impact for affected deployments is that an unauthorized party could impersonate any user whose identity is derivable from the client’s DN. This could compromise confidentiality, integrity, and availability of the messaging system, especially in sensitive or multi‑tenant environments. The CVE notes that the vulnerability is unlikely in practice but acknowledges that very sophisticated DN construction could expose an environment to exploitation.

Affected Systems

The vulnerability affects NATS.io NATS Server versions older than 2.11.15 and 2.12.6. All builds of the server that use the verify_and_map authentication method for mTLS client certificates are susceptible unless upgraded to one of the patched releases.

Risk and Exploitability

The CVSS score of 4.2 indicates moderate severity. The EPSS probability is listed as less than 1 % and the issue is not currently in the CISA KEV catalog, suggesting a low likelihood of already exposed exploitation. However, the attack path requires a properly issued client certificate from a trusted CA and carefully constructed DN fields that match the server’s (now flawed) validation logic. Attackers would need to maintain a valid certificate authority or compromise one, and craft the subject DN to mimic an existing user’s pattern. While the vector is remote—any external client that can establish an mTLS session—it is contingent on existing trust relationships.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nats-io

nats-server

affected

Version	Status	Constraints
`< 2.11.15`	affected	—
`>= 2.12.0-RC.1, < 2.12.6`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:linuxfoundation:nats-server::::::::
	cpe:2.3:a:linuxfoundation:nats-server::::::::

No data.

Vendor Product Confidence Versions

Nats

Nats Server

91%

Version	Status	Scheme	Platform
`[0,2.11.15)`	affected	semver	—
`[2.12.0-RC.1,2.12.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to NATS Server 2.11.15 or newer versions
Review and restrict CA‑issued client certificate DN patterns to avoid ambiguous RDN combinations
Monitor server logs for unexpected or unauthorized client connections

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3f24-pcvm-5jqc	NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://advisories.nats.io/CVE/secnote-2026-13.txt
https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc
https://nvd.nist.gov/vuln/detail/CVE-2026-33248
https://www.cve.org/CVERecord?id=CVE-2026-33248

History

Fri, 27 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation nats-server
CPEs		cpe:2.3:a:linuxfoundation:nats-server::::::::
Vendors & Products		Linuxfoundation Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nats Nats nats Server
Vendors & Products		Nats Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-289
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33248 https://www.cve.org/CVERecord?id=CVE-2026-33248
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 25 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
Title		NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
Weaknesses		CWE-287 CWE-295
References		https://advisories.nats.io/CVE/secnote-2026-13.txt https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Linuxfoundation Nats-server

Nats Nats Server

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-25T20:18:28.923Z

Updated: 2026-03-26T19:52:12.357Z

Reserved: 2026-03-18T02:42:27.509Z

Link: CVE-2026-33248

Vulnrichment

Updated: 2026-03-26T19:51:09.345Z

NVD

Status : Analyzed

Published: 2026-03-25T21:16:47.563

Modified: 2026-03-26T16:22:06.270

Link: CVE-2026-33248

Redhat

Severity : Moderate

Publid Date: 2026-03-25T20:18:28Z

Links: CVE-2026-33248 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:29:47Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object