Skip to main content

Red Hat CVE-2026-33248

MEDIUM
Improper Authentication (CWE-287)
2026-03-24 https://github.com/nats-io/nats-server
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 22:01 vuln.today
CVE Published
Mar 24, 2026 - 21:51 nvd
MEDIUM 4.2

DescriptionGitHub Advisory

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.

Problem Description

When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.

This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.

So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.

Affected Versions

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

Developers should review their CA issuing practices.

AnalysisAI

NATS.io nats-server contains an authentication bypass vulnerability in its mTLS client identity verification when using the verify_and_map feature to derive NATS identities from TLS client certificate Subject DN patterns. An authenticated attacker with a valid certificate from a trusted CA can exploit certain RDN (Relative Distinguished Name) patterns to bypass intended identity mapping controls, potentially gaining unauthorized access to message queues. The vulnerability requires both a valid certificate and specific DN construction patterns, making it a low-probability but credible threat for sophisticated deployments; no public POC or active exploitation has been documented, and the CVSS score of 4.2 reflects the high attack complexity and privilege requirement.

Technical ContextAI

NATS.io is a high-performance distributed pub-sub messaging system commonly deployed in cloud, edge, and IoT environments. The affected component (pkg:go/github.com_nats-io_nats-server_v2) implements mTLS authentication via client certificates, with a feature to map certificate Subject DN fields to NATS user identities through the verify_and_map configuration. The root cause classified under CWE-287 (Improper Authentication) stems from incomplete or incorrect parsing/validation of X.509 certificate RDN sequences during identity derivation. Specifically, the DN pattern matching logic fails to correctly enforce all intended constraints when RDNs are arranged in certain non-standard but valid configurations, allowing certificate subjects that should be rejected to pass validation.

RemediationAI

Upgrade nats-server immediately to version 2.12.6 or later for the 2.12.x series, or 2.11.15 or later for the 2.11.x series, per the official NATS advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc. As a workaround pending patching, conduct a comprehensive review of your CA issuing practices and DN construction patterns to identify and remediate any non-standard RDN sequences that could be exploited. For defense-in-depth, enforce additional network-level access controls and monitor NATS server authentication logs for unusual certificate-to-identity mappings. Disable verify_and_map temporarily in favor of alternative authentication methods if DN patterns cannot be immediately validated.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy