CVE-2026-33248
Obejście uwierzytelnienia w NATS-Server umożliwia nieautoryzowany dostęp przy użyciu certyfikatu.
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 4.2 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-25 21:16:47 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-26 16:22:06 UTC |
- https://advisories.nats.io/CVE/secnote-2026-13.txt (security-advisories@github.com) [Vendor Advisory]
- https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc (security-advisories@github.com) [Vendor Advisory]