4.2
CVE-2026-33248
- EPSS 0.03%
- Veröffentlicht 25.03.2026 20:18:28
- Zuletzt bearbeitet 26.03.2026 16:22:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linuxfoundation ≫ Nats-server Version < 2.11.15
Linuxfoundation ≫ Nats-server Version >= 2.12.0 < 2.12.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.078 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.2 | 1.6 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-295 Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.