Plateforme
apache
Composant
mod_gnutls
Corrigé dans
0.13.1
CVE-2026-33308 is a medium-severity vulnerability affecting modgnutls, a TLS module for Apache HTTPD. This flaw stems from inadequate verification of the key purpose within client certificates, potentially allowing unauthorized access. Versions of modgnutls prior to 0.13.0 are vulnerable, while servers not utilizing client certificate authentication are unaffected.
An attacker exploiting this vulnerability could leverage a valid client certificate issued by a trusted Certificate Authority (CA), but with a key purpose not intended for TLS client authentication. By presenting this certificate, the attacker could bypass the intended authentication checks and gain access to resources requiring TLS client authentication. The potential impact includes unauthorized data access, modification, or deletion, depending on the privileges associated with the authenticated user. This vulnerability highlights the importance of proper certificate validation and key usage restrictions in TLS configurations.
This CVE was publicly disclosed on 2026-03-24. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is contingent on the configuration of Apache HTTPD and the use of TLS client authentication.
Organizations running Apache HTTPD with mod_gnutls versions prior to 0.13.0 and utilizing TLS client authentication are at risk. This includes environments relying on client certificates for secure access to web applications and APIs, particularly those with legacy systems or custom authentication implementations.
• apache / server:
# Check mod_gnutls version
httpd -M | grep gnutls
# Review Apache configuration for GnuTLSClientVerify directive
grep -r 'GnuTLSClientVerify' /etc/httpd/conf/*disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-33308 is to upgrade mod_gnutls to version 0.13.0 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily disabling TLS client authentication (GnuTLSClientVerify ignore) as a workaround, though this significantly reduces security. Review your Apache configuration to ensure client certificate verification is only enabled where absolutely necessary. After upgrading, verify the fix by attempting to authenticate with a certificate having an incorrect key purpose; authentication should fail.
Actualice mod_gnutls a la versión 0.13.0 o superior. Esta versión corrige la verificación del propósito de la clave en la verificación del certificado del cliente. Si no es posible actualizar, revise la configuración de GnuTLSClientKeyPurpose para asegurar que el propósito de la clave sea el esperado.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33308 is a medium-severity vulnerability in mod_gnutls (≤ 0.13.0) that allows attackers to bypass TLS client authentication by exploiting improper certificate key purpose checks.
You are affected if you are running Apache HTTPD with mod_gnutls version 0.13.0 or earlier and have TLS client authentication enabled. Servers without client certificate verification are not affected.
Upgrade mod_gnutls to version 0.13.0 or later. As a temporary workaround, disable TLS client authentication (GnuTLSClientVerify ignore), but be aware of the security implications.
As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-33308.
Refer to the Apache Security page for the latest information and official advisories: https://httpd.apache.org/security/
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.