CVE-2026-33248— NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33248
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
Source: NVD (National Vulnerability Database)
Vulnerability Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nats-Server 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nats-Server是Nats开源的一个用于 Nats.io、云和边缘本机消息传递系统的高性能服务器。 Nats-Server 2.11.15之前版本和2.12.6之前版本存在信任管理问题漏洞,该漏洞源于使用mTLS进行客户端身份验证时,某些RDN模式未正确强制执行,可能导致身份验证绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| nats-io | nats-server | < 2.11.15 | - |
II. Public POCs for CVE-2026-33248
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33248
请登录查看更多情报信息。
Same Patch Batch · nats-io · 2026-03-25 · 12 CVEs total
| CVE-2026-33216 | 8.6 HIGH | NATS has MQTT plaintext password disclosure |
| CVE-2026-27889 | 7.5 HIGH | NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead |
| CVE-2026-29785 | 7.5 HIGH | NATS Server panic via malicious compression on leafnode port |
| CVE-2026-33218 | 7.5 HIGH | NATS has pre-auth server panic via leafnode handling |
| CVE-2026-33247 | 7.4 HIGH | NATS credentials are exposed in monitoring port via command-line argv |
| CVE-2026-33217 | 7.1 HIGH | NATS allows MQTT clients to bypass ACL checks |
| CVE-2026-33246 | 6.4 MEDIUM | NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers |
| CVE-2026-33223 | 6.4 MEDIUM | NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing |
| CVE-2026-33219 | 5.3 MEDIUM | NATS is vulnerable to pre-auth DoS through WebSockets client service |
| CVE-2026-33222 | 4.9 MEDIUM | NATS JetStream has an authorization bypass through its Management API |
| CVE-2026-33249 | 4.3 MEDIUM | NATS: Message tracing can be redirected to arbitrary subject |
IV. Related Vulnerabilities
Same product: nats-server
- CVE-2026-33249
NATS: Message tracing can be redirected to arbitrary subject - CVE-2026-33223
NATS Server: Incomplete Stripping of Nats-Request-Info Heade - CVE-2026-33222
NATS JetStream has an authorization bypass through its Manag - CVE-2026-33247
NATS credentials are exposed in monitoring port via command- - CVE-2026-33219
NATS is vulnerable to pre-auth DoS through WebSockets client
Same vendor: nats-io
- CVE-2026-33249
NATS: Message tracing can be redirected to arbitrary subject - CVE-2026-33223
NATS Server: Incomplete Stripping of Nats-Request-Info Heade - CVE-2026-33222
NATS JetStream has an authorization bypass through its Manag - CVE-2026-33247
NATS credentials are exposed in monitoring port via command- - CVE-2026-33219
NATS is vulnerable to pre-auth DoS through WebSockets client
Same weakness: CWE-287
- CVE-2026-8244
Industrial Application Software IAS Canias ERP Login RMI imp - CVE-2026-8216
Industrial Application Software IAS Canias ERP Java RMI Sess - CVE-2026-8214
Industrial Application Software IAS Canias ERP RMI doAction - CVE-2026-42560
auth: Patreon provider assigns the same local user ID to eve - CVE-2026-41070
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, all
V. Comments for CVE-2026-33248
No comments yet