Platform
apache
Component
mod_gnutls
Fixed in
0.13.1
CVE-2026-33308 is a medium-severity vulnerability affecting modgnutls, a TLS module for Apache HTTPD. This flaw stems from inadequate verification of the key purpose within client certificates, potentially allowing unauthorized access. Versions of modgnutls prior to 0.13.0 are vulnerable, while servers not utilizing client certificate authentication are unaffected.
An attacker exploiting this vulnerability could leverage a valid client certificate issued by a trusted Certificate Authority (CA), but with a key purpose not intended for TLS client authentication. By presenting this certificate, the attacker could bypass the intended authentication checks and gain access to resources requiring TLS client authentication. The potential impact includes unauthorized data access, modification, or deletion, depending on the privileges associated with the authenticated user. This vulnerability highlights the importance of proper certificate validation and key usage restrictions in TLS configurations.
This CVE was publicly disclosed on 2026-03-24. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is contingent on the configuration of Apache HTTPD and the use of TLS client authentication.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33308 is to upgrade mod_gnutls to version 0.13.0 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily disabling TLS client authentication (GnuTLSClientVerify ignore) as a workaround, though this significantly reduces security. Review your Apache configuration to ensure client certificate verification is only enabled where absolutely necessary. After upgrading, verify the fix by attempting to authenticate with a certificate having an incorrect key purpose; authentication should fail.
Update mod_gnutls to version 0.13.0 or higher. This version corrects the key purpose verification in client certificate verification. If updating is not possible, review the GnuTLSClientKeyPurpose configuration to ensure the key purpose is as expected.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33308 is a medium-severity vulnerability in mod_gnutls (≤ 0.13.0) that allows attackers to bypass TLS client authentication by exploiting improper certificate key purpose checks.
You are affected if you are running Apache HTTPD with mod_gnutls version 0.13.0 or earlier and have TLS client authentication enabled. Servers without client certificate verification are not affected.
Upgrade mod_gnutls to version 0.13.0 or later. As a temporary workaround, disable TLS client authentication (GnuTLSClientVerify ignore), but be aware of the security implications.
As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-33308.
Refer to the Apache Security page for the latest information and official advisories: https://httpd.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.