Platform
go
Component
github.com/nats-io/nats-server
Fixed in
2.11.16
2.12.1
2.11.15
CVE-2026-33248 describes an Authentication Bypass vulnerability discovered in NATS Server. This flaw allows attackers to circumvent mTLS authentication mechanisms by exploiting incorrect Subject DN matching within the server's configuration. The vulnerability impacts versions of NATS Server released before 2.11.15. A fix is available in version 2.11.15.
Successful exploitation of CVE-2026-33248 allows an attacker to bypass mTLS authentication in NATS Server. This means an attacker who can craft a malicious Subject DN can gain unauthorized access to the NATS cluster, potentially reading and writing messages, subscribing to topics, and executing commands if the NATS server is integrated with other systems. The blast radius depends on the sensitivity of the data flowing through the NATS cluster and the level of access granted to authenticated clients. If NATS is used for control plane communication within a larger system, this bypass could lead to widespread compromise.
CVE-2026-33248 was publicly disclosed on 2026-03-26. The vulnerability's impact is considered medium due to the potential for unauthorized access, but the exploitability is likely limited by the need to craft a specific Subject DN. No public proof-of-concept (PoC) has been released as of this writing, but the vulnerability is listed on the NVD. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33248 is to upgrade NATS Server to version 2.11.15 or later. If immediate upgrading is not possible, consider implementing stricter Subject DN validation rules in your NATS configuration to limit the potential impact of the bypass. While not a complete fix, this can reduce the attack surface. Review your mTLS configuration to ensure Subject DNs are properly validated against expected values. Monitor NATS server logs for unusual authentication attempts or connections with unexpected Subject DNs.
Update NATS Server to version 2.11.15 or later, or to version 2.12.6 or later. Review CA certificate issuance practices to mitigate the risk of vulnerable DN patterns.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33248 is a vulnerability in NATS Server allowing attackers to bypass mTLS authentication due to incorrect Subject DN matching, potentially granting unauthorized access. It's rated MEDIUM severity.
You are affected if you are running NATS Server versions prior to 2.11.15. Verify your version and upgrade immediately if vulnerable.
Upgrade NATS Server to version 2.11.15 or later. If upgrading is not immediately possible, implement stricter Subject DN validation rules in your configuration.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and should be addressed promptly.
Refer to the official NATS Server security advisory on the NATS website for detailed information and updates: [https://nats.io/security/advisories](https://nats.io/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.