MEDIUMCVE-2026-33308CVSS 6.8

mod_gnutls missing key purpose check in client certificate verification

Q: What is CVE-2026-33308 — TLS Verification Bypass in mod_gnutls?

CVE-2026-33308 is a medium-severity vulnerability in mod_gnutls (≤ 0.13.0) that allows attackers to bypass TLS client authentication by exploiting improper certificate key purpose checks.

Q: Am I affected by CVE-2026-33308 in mod_gnutls?

You are affected if you are running Apache HTTPD with mod_gnutls version 0.13.0 or earlier and have TLS client authentication enabled. Servers without client certificate verification are not affected.

Q: How do I fix CVE-2026-33308 in mod_gnutls?

Upgrade mod_gnutls to version 0.13.0 or later. As a temporary workaround, disable TLS client authentication (`GnuTLSClientVerify ignore`), but be aware of the security implications.

Q: Is CVE-2026-33308 being actively exploited?

As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-33308.

Q: Where can I find the official Apache advisory for CVE-2026-33308?

Refer to the Apache Security page for the latest information and official advisories: https://httpd.apache.org/security/

翻訳中…

プラットフォーム

apache

コンポーネント

mod_gnutls

修正版

0.13.1

AI Confidence: highNVDEPSS 0.0%レビュー済み: 2026年5月

NVDで見る

保存

あなたの言語に翻訳中…

CVE-2026-33308 is a medium-severity vulnerability affecting modgnutls, a TLS module for Apache HTTPD. This flaw stems from inadequate verification of the key purpose within client certificates, potentially allowing unauthorized access. Versions of modgnutls prior to 0.13.0 are vulnerable, while servers not utilizing client certificate authentication are unaffected.

影響と攻撃シナリオ翻訳中…

An attacker exploiting this vulnerability could leverage a valid client certificate issued by a trusted Certificate Authority (CA), but with a key purpose not intended for TLS client authentication. By presenting this certificate, the attacker could bypass the intended authentication checks and gain access to resources requiring TLS client authentication. The potential impact includes unauthorized data access, modification, or deletion, depending on the privileges associated with the authenticated user. This vulnerability highlights the importance of proper certificate validation and key usage restrictions in TLS configurations.

悪用の状況翻訳中…

This CVE was publicly disclosed on 2026-03-24. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is contingent on the configuration of Apache HTTPD and the use of TLS client authentication.

リスク対象者翻訳中…

Organizations running Apache HTTPD with mod_gnutls versions prior to 0.13.0 and utilizing TLS client authentication are at risk. This includes environments relying on client certificates for secure access to web applications and APIs, particularly those with legacy systems or custom authentication implementations.

検出手順翻訳中…

• apache / server:

# Check mod_gnutls version
httpd -M | grep gnutls

# Review Apache configuration for GnuTLSClientVerify directive
grep -r 'GnuTLSClientVerify' /etc/httpd/conf/*

攻撃タイムライン

2026-03-24Disclosure
disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明

CISA KEVNO

インターネット露出高

レポート1 脅威レポート

EPSS

0.03% (10% パーセンタイル)

CISA SSVC

悪用状況none

自動化可能no

技術的影響partial

CVSS ベクトル

これらのメトリクスの意味は？

Attack Vector: ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity: 高 — 競合条件、非標準設定、または特定の状況が必要。悪用が難しい。
Privileges Required: なし — 認証不要。資格情報なしで悪用可能。
User Interaction: なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope: 変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality: 高 — 機密性の完全喪失。全データが読み取り可能。
Integrity: なし — 完全性への影響なし。
Availability: なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントmod_gnutls

ベンダーairtower-luna

影響範囲修正版

< 0.13.0 – < 0.13.00.13.1

弱点分類 (CWE)

CWE-295

タイムライン

予約済み2026-03-18
公開日2026-03-24
EPSS 更新日2026-03-31

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-33308 is to upgrade mod_gnutls to version 0.13.0 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily disabling TLS client authentication (GnuTLSClientVerify ignore) as a workaround, though this significantly reduces security. Review your Apache configuration to ensure client certificate verification is only enabled where absolutely necessary. After upgrading, verify the fix by attempting to authenticate with a certificate having an incorrect key purpose; authentication should fail.

修正方法翻訳中…

Actualice mod_gnutls a la versión 0.13.0 o superior. Esta versión corrige la verificación del propósito de la clave en la verificación del certificado del cliente. Si no es posible actualizar, revise la configuración de GnuTLSClientKeyPurpose para asegurar que el propósito de la clave sea el esperado.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2026-33308 — TLS Verification Bypass in mod_gnutls?

CVE-2026-33308 is a medium-severity vulnerability in mod_gnutls (≤ 0.13.0) that allows attackers to bypass TLS client authentication by exploiting improper certificate key purpose checks.

Am I affected by CVE-2026-33308 in mod_gnutls?

You are affected if you are running Apache HTTPD with mod_gnutls version 0.13.0 or earlier and have TLS client authentication enabled. Servers without client certificate verification are not affected.

How do I fix CVE-2026-33308 in mod_gnutls?

Upgrade mod_gnutls to version 0.13.0 or later. As a temporary workaround, disable TLS client authentication (GnuTLSClientVerify ignore), but be aware of the security implications.

Is CVE-2026-33308 being actively exploited?

As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-33308.

Where can I find the official Apache advisory for CVE-2026-33308?

Refer to the Apache Security page for the latest information and official advisories: https://httpd.apache.org/security/

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン CVEを検索