CVE-2026-33248
March 25, 2026
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with "verify_and_map" to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and "DN" naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their "DN" construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
Affected Packages
github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.0.0-RC14.0.20190604014547-ed1901c79292 <v2.11.15Fix Suggestion:
Update to version v2.11.15github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.0.0-RC14.0.20190604014547-ed1901c79292 <v2.11.15Fix Suggestion:
Update to version v2.11.15github.com/nats-io/nats-server/v2 (GO):
Affected version(s) >=v2.0.0-RC14.0.20190604014547-ed1901c79292 <v2.11.15Fix Suggestion:
Update to version v2.11.15Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
EPSS
Base Score:
0.02
