{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33248", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-25T20:18:28.923Z", "dateUpdated": "2026-03-26T19:52:12.357Z"}, "containers": {"cna": {"title": "NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-13.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:18:28.923Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}], "source": {"advisory": "GHSA-3f24-pcvm-5jqc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:35:03.328665Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:35:03.328665Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:51:09.345Z"}}], "cna": {"title": "NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching", "source": {"advisory": "GHSA-3f24-pcvm-5jqc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"status": "affected", "version": "< 2.11.15"}, {"status": "affected", "version": ">= 2.12.0-RC.1, < 2.12.6"}]}], "references": [{"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc", "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-13.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-13.txt", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:18:28.923Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33248", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:12.357Z", "dateReserved": "2026-03-18T02:42:27.509Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T20:18:28.923Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}], "id": "CVE-2026-33248", "lastModified": "2026-03-26T16:22:06.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:47.563", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-13.txt"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification", "id": "2451484", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451484"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-289", "details": ["A flaw was found in NATS-Server, a high-performance messaging system. When configured to use mutual Transport Layer Security (mTLS) for client identity, and specifically the `verify_and_map` feature, certain patterns within a client certificate's Subject Distinguished Name (DN) were not correctly enforced. This could allow an attacker, possessing a valid certificate from a trusted Certificate Authority (CA), to bypass the intended identity verification. Consequently, this could lead to unauthorized access, although the attack requires highly specific and unlikely DN naming patterns."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33248", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T20:18:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33248\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33248\nhttps://advisories.nats.io/CVE/secnote-2026-13.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-RC.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T17:29:14.723504+00:00", "value": {"mitigation_remediation": ["Upgrade to NATS Server 2.11.15 or newer versions", "Review and restrict CA\u2011issued client certificate DN patterns to avoid ambiguous RDN combinations", "Monitor server logs for unexpected or unauthorized client connections"], "summary": {"action": "Patch", "impact": "Authentication bypass via mTLS verify_and_map"}, "threat_synthesis": {"affected_systems": "The vulnerability affects NATS.io NATS Server versions older than 2.11.15 and 2.12.6. All builds of the server that use the verify_and_map authentication method for mTLS client certificates are susceptible unless upgraded to one of the patched releases.\n", "description_and_impact": "The flaw occurs in client authentication when NATS Server uses the verify_and_map method to map a client\u2019s identity from their certificate\u2019s Subject Distinguished Name (DN). The logic that validates the DN does not correctly enforce certain relative DN (RDN) patterns, allowing a certificate that nominally conforms to the trusted CA requirements but contains an unexpected RDN arrangement to be accepted. An attacker who can obtain a certificate issued by a trusted CA and craft the DN to exploit the pattern regression can trick the server into creating a NATS identity that matches a legitimate user, thereby bypassing authentication and gaining ownership of that identity\u2019s messaging permissions.\n\nAlthough the vulnerability requires a valid CA\u2011issued certificate and a highly unlikely DN pattern, the impact for affected deployments is that an unauthorized party could impersonate any user whose identity is derivable from the client\u2019s DN. This could compromise confidentiality, integrity, and availability of the messaging system, especially in sensitive or multi\u2011tenant environments.\n\nThe CVE notes that the vulnerability is unlikely in practice but acknowledges that very sophisticated DN construction could expose an environment to exploitation.\n", "risk_and_exploitability": "The CVSS score of 4.2 indicates moderate severity. The EPSS probability is listed as less than 1\u202f% and the issue is not currently in the CISA KEV catalog, suggesting a low likelihood of already exposed exploitation. However, the attack path requires a properly issued client certificate from a trusted CA and carefully constructed DN fields that match the server\u2019s (now flawed) validation logic. Attackers would need to maintain a valid certificate authority or compromise one, and craft the subject DN to mimic an existing user\u2019s pattern. While the vector is remote\u2014any external client that can establish an mTLS session\u2014it is contingent on existing trust relationships.\n"}}}}, "created": "2026-03-25T21:46:13.312022+00:00", "updated": "2026-03-27T09:29:47.837066+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}