Plateforme
go
Composant
github.com/nats-io/nats-server
Corrigé dans
2.11.16
2.12.1
2.11.15
CVE-2026-33248 describes an Authentication Bypass vulnerability discovered in NATS Server. This flaw allows attackers to circumvent mTLS authentication mechanisms by exploiting incorrect Subject DN matching within the server's configuration. The vulnerability impacts versions of NATS Server released before 2.11.15. A fix is available in version 2.11.15.
Successful exploitation of CVE-2026-33248 allows an attacker to bypass mTLS authentication in NATS Server. This means an attacker who can craft a malicious Subject DN can gain unauthorized access to the NATS cluster, potentially reading and writing messages, subscribing to topics, and executing commands if the NATS server is integrated with other systems. The blast radius depends on the sensitivity of the data flowing through the NATS cluster and the level of access granted to authenticated clients. If NATS is used for control plane communication within a larger system, this bypass could lead to widespread compromise.
CVE-2026-33248 was publicly disclosed on 2026-03-26. The vulnerability's impact is considered medium due to the potential for unauthorized access, but the exploitability is likely limited by the need to craft a specific Subject DN. No public proof-of-concept (PoC) has been released as of this writing, but the vulnerability is listed on the NVD. It is not currently listed on CISA KEV.
Organizations heavily reliant on NATS Server for inter-service communication, particularly those using mTLS for authentication, are at risk. Environments with complex NATS configurations and custom Subject DN mappings are especially vulnerable. Shared hosting environments where NATS Server is deployed alongside other applications should also be considered at higher risk.
• linux / server:
journalctl -u nats-server -g "authentication bypass"• generic web:
curl -I https://your-nats-server/ | grep Subject: # Check for unexpected Subject DNs in the response headers. This requires access to the NATS server endpoint.disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-33248 is to upgrade NATS Server to version 2.11.15 or later. If immediate upgrading is not possible, consider implementing stricter Subject DN validation rules in your NATS configuration to limit the potential impact of the bypass. While not a complete fix, this can reduce the attack surface. Review your mTLS configuration to ensure Subject DNs are properly validated against expected values. Monitor NATS server logs for unusual authentication attempts or connections with unexpected Subject DNs.
Mettez à jour NATS Server à la version 2.11.15 ou supérieure, ou à la version 2.12.6 ou supérieure. Examinez les pratiques d'émission de certificats CA pour atténuer le risque de motifs DN vulnérables.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33248 is a vulnerability in NATS Server allowing attackers to bypass mTLS authentication due to incorrect Subject DN matching, potentially granting unauthorized access. It's rated MEDIUM severity.
You are affected if you are running NATS Server versions prior to 2.11.15. Verify your version and upgrade immediately if vulnerable.
Upgrade NATS Server to version 2.11.15 or later. If upgrading is not immediately possible, implement stricter Subject DN validation rules in your configuration.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and should be addressed promptly.
Refer to the official NATS Server security advisory on the NATS website for detailed information and updates: [https://nats.io/security/advisories](https://nats.io/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.