Red Hat CVE-2026-33248
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
Problem Description
When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.
So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.
Affected Versions
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
Developers should review their CA issuing practices.
AnalysisAI
NATS.io nats-server contains an authentication bypass vulnerability in its mTLS client identity verification when using the verify_and_map feature to derive NATS identities from TLS client certificate Subject DN patterns. An authenticated attacker with a valid certificate from a trusted CA can exploit certain RDN (Relative Distinguished Name) patterns to bypass intended identity mapping controls, potentially gaining unauthorized access to message queues. The vulnerability requires both a valid certificate and specific DN construction patterns, making it a low-probability but credible threat for sophisticated deployments; no public POC or active exploitation has been documented, and the CVSS score of 4.2 reflects the high attack complexity and privilege requirement.
Technical ContextAI
NATS.io is a high-performance distributed pub-sub messaging system commonly deployed in cloud, edge, and IoT environments. The affected component (pkg:go/github.com_nats-io_nats-server_v2) implements mTLS authentication via client certificates, with a feature to map certificate Subject DN fields to NATS user identities through the verify_and_map configuration. The root cause classified under CWE-287 (Improper Authentication) stems from incomplete or incorrect parsing/validation of X.509 certificate RDN sequences during identity derivation. Specifically, the DN pattern matching logic fails to correctly enforce all intended constraints when RDNs are arranged in certain non-standard but valid configurations, allowing certificate subjects that should be rejected to pass validation.
RemediationAI
Upgrade nats-server immediately to version 2.12.6 or later for the 2.12.x series, or 2.11.15 or later for the 2.11.x series, per the official NATS advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc. As a workaround pending patching, conduct a comprehensive review of your CA issuing practices and DN construction patterns to identify and remediate any non-standard RDN sequences that could be exploited. For defense-in-depth, enforce additional network-level access controls and monitor NATS server authentication logs for unusual certificate-to-identity mappings. Disable verify_and_map temporarily in favor of alternative authentication methods if DN patterns cannot be immediately validated.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today