CVE-2026-33248

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33248
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33248.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33248
Aliases
Downstream
Related
Published
2026-03-25T20:18:28.923Z
Modified
2026-04-10T05:42:43.020044Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
Details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33248.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-295"
    ]
}
References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bef17e1d9de6574fae0eabe1798db0d4529834e4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.11.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
4dccf778573cd9a9e52fb8f119718459f6f2f761
Fixed
0e0639058e0d2d8fce0cc34941f9897da152ab32
Database specific 
{
    "versions": [
        {
            "introduced": "2.12.0-RC.1"
        },
        {
            "fixed": "2.12.6"
        }
    ]
}

Affected versions

v0.*
v0.5.1
v0.5.2
v0.5.4
v0.5.6
v0.6.0
v0.6.2
v0.6.4
v0.6.6
v0.6.8
v0.7.0
v0.7.2
v0.8.0
v0.8.1
v0.9.2
v0.9.4
v0.9.6
v1.*
v1.0.0
v1.0.2
v1.0.4
v1.0.6
v1.1.0
v1.2.0
v1.3.0
v2.*
v2.0.0
v2.0.0-RC14
v2.0.0-RC19
v2.0.2
v2.0.4
v2.1.0
v2.1.2
v2.1.4
v2.1.6
v2.1.7
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.11.0
v2.11.0-RC.1
v2.11.0-RC.2
v2.11.0-RC.3
v2.11.0-RC.4
v2.11.0-RC.5
v2.11.10
v2.11.10-RC.1
v2.11.11
v2.11.11-RC.1
v2.11.11-RC.2
v2.11.11-RC.3
v2.11.11-RC.4
v2.11.12
v2.11.12-RC.1
v2.11.12-RC.2
v2.11.12-RC.3
v2.11.12-RC.4
v2.11.12-RC.5
v2.11.12-RC.6
v2.11.12-RC.7
v2.11.14
v2.11.2
v2.11.2-RC.1
v2.11.2-RC.2
v2.11.2-RC.3
v2.11.3
v2.11.3-RC.1
v2.11.3-RC.2
v2.11.4
v2.11.4-RC.1
v2.11.4-RC.2
v2.11.4-RC.3
v2.11.5
v2.11.5-RC.1
v2.11.5-RC.2
v2.11.5-RC.3
v2.11.5-RC.4
v2.11.6
v2.11.6-RC.1
v2.11.7
v2.11.7-RC.1
v2.11.7-RC.2
v2.11.7-RC.3
v2.11.8
v2.11.8-RC.1
v2.11.9
v2.11.9-RC.1
v2.11.9-RC.2
v2.11.9-RC.3
v2.12.0
v2.12.0-RC.1
v2.12.0-RC.2
v2.12.0-RC.3
v2.12.0-RC.4
v2.12.0-RC.5
v2.12.0-RC.6
v2.12.1
v2.12.1-RC.1
v2.12.1-RC.2
v2.12.1-RC.3
v2.12.1-RC.4
v2.12.1-RC.5
v2.12.2
v2.12.2-RC.1
v2.12.2-RC.2
v2.12.2-RC.3
v2.12.2-RC.4
v2.12.3
v2.12.3-RC.1
v2.12.3-RC.2
v2.12.3-RC.3
v2.12.3-RC.4
v2.12.3-RC.5
v2.12.4
v2.12.4-RC.1
v2.12.4-RC.2
v2.12.4-RC.3
v2.12.4-RC.4
v2.12.4-RC.5
v2.12.4-RC.6
v2.12.5
v2.12.5-RC.1
v2.12.5-RC.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.0-rc1
v2.7.0-rc2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.14
v2.9.15
v2.9.16
v2.9.17
v2.9.18
v2.9.19
v2.9.2
v2.9.20
v2.9.21
v2.9.22
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33248.json"