Skip to main content

Apache CVE-2026-33308

| EUVDEUVD-2026-14694 MEDIUM
Improper Certificate Validation (CWE-295)
2026-03-24 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.13.0
EUVD ID Assigned
Mar 24, 2026 - 02:45 euvd
EUVD-2026-14694
Analysis Generated
Mar 24, 2026 - 02:45 vuln.today
CVE Published
Mar 24, 2026 - 01:36 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for client certificate verification did not check the key purpose as set in the Extended Key Usage extension. An attacker with access to the private key for a valid certificate issued by a CA trusted for TLS client authentication but designated for a different purpose could have used that certificate to improperly access resources requiring TLS client authentication. Server configurations that do not use client certificates (GnuTLSClientVerify ignore, the default) are not affected. The problem has been fixed in version 0.13.0 by rewriting certificate verification to use gnutls_certificate_verify_peers(), and requiring key purpose id-kp-clientAuth (also known as tls_www_client in GnuTLS) by default if the Extended Key Usage extension is present. The new GnuTLSClientKeyPurpose option allows overriding the expected key purpose if needed (please see the manual for details). Behavior for certificates without an Extended Key Usage extension is unchanged. If dedicated (sub-)CAs are used for issuing TLS client certificates only (not for any other purposes) the issue has no practical impact.

AnalysisAI

Mod_gnutls versions prior to 0.13.0 fail to validate the Extended Key Usage (EKU) extension during client certificate verification, allowing an attacker with a valid certificate issued for a different purpose to improperly authenticate for TLS client certificate-based access. Only Apache HTTPD servers configured to use client certificate authentication (via GnuTLSClientVerify settings other than 'ignore') are affected. The vulnerability enables unauthorized information disclosure through certificate misuse, with a CVSS score of 6.8 reflecting high confidentiality impact but requiring non-trivial attack complexity.

Technical ContextAI

Mod_gnutls is a TLS module for Apache HTTPD that implements certificate-based authentication using the GnuTLS cryptographic library. The vulnerability stems from improper implementation of RFC 5280 Extended Key Usage (EKU) validation, a critical X.509 extension that restricts certificate use to specific purposes (identified by object identifiers such as id-kp-clientAuth). The root cause is classified under CWE-295 (Improper Certificate Validation), where the module accepted certificates without verifying that the EKU extension explicitly authorized the 'tls_www_client' key purpose required for client authentication. The affected CPE is cpe:2.3:a:airtower-luna:mod_gnutls:*:*:*:*:*:*:*:*, indicating all versions before 0.13.0 shipped by airtower-luna. The fix rewrote certificate verification logic to use GnuTLS's gnutls_certificate_verify_peers() function, which properly enforces EKU constraints by default and introduces the GnuTLSClientKeyPurpose configuration option for administrator override.

RemediationAI

Immediately upgrade mod_gnutls to version 0.13.0 or later from the official airtower-luna GitHub repository (https://github.com/airtower-luna/mod_gnutls). Recompile and redeploy the module against Apache HTTPD, then restart the web server to activate the patched certificate verification logic. For organizations unable to patch immediately, audit Apache configurations to identify servers with active client certificate authentication (GnuTLSClientVerify require or optional); restrict network access to these endpoints to trusted IP ranges via firewall or reverse proxy rules, and implement certificate pinning for critical client authenticators to prevent acceptance of mis-issued certificates. Additionally, review CA issuance policies to ensure client authentication certificates are issued with the correct id-kp-clientAuth EKU extension and are not reused for other purposes. Monitor access logs for suspicious client certificate usage patterns, especially from certificates with unexpected issuers or subject names.

Share

CVE-2026-33308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy