2451484 – (CVE-2026-33248) CVE-2026-33248 github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification

Bug 2451484 (CVE-2026-33248) - CVE-2026-33248 github.com/nats-io/nats-server: nats: NATS-Server: Authentication bypass due to incorrect Subject DN matching during mTLS client identity verification

Summary: CVE-2026-33248 github.com/nats-io/nats-server: nats: NATS-Server: Authenticat...

Keywords:
Status:	NEW
Alias:	CVE-2026-33248
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2451505
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-25 21:02 UTC by OSIDB Bzimport
Modified:	2026-03-25 21:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-25 21:02:17 UTC

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.

Note You need to log in before you can comment on or make changes to this bug.