CVE-2026-33248

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

Description

A vulnerability marked as critical has been reported in nats-io nats-server up to 2.11.14/2.12.5. This vulnerability affects the function verify_and_map of the component mTLS. This manipulation causes improper certificate validation. The attack may be initiated remotely.

Affected Products

Vendor	Product	Versions
go	github.com/nats-io/nats-server/v2	go/github.com/nats-io/nats-server/v2: < 2.11.15, go/github.com/nats-io/nats-server/v2: >= 2.12.0-RC.1, < 2.12.6, go/github.com/nats-io/nats-server/v2: <= 2.11.14, go/github.com/nats-io/nats-server/v2: <= 2.12.5

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-33248 | nats-io nats-server up to 2.11.14/2.12.5 mTLS verify_and_map certificate validation

→ No new info (linked only)

CVSS 3.14.2 CRITICAL

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-287, CWE-295

Published3/24/2026

Last enriched3h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, added affected versions up to 2.11.14/2.12.5, and noted that the vulnerability is actively exploited.

descriptionaffectedVersionsseverityactivelyExploitedtags

via VulDB

v111h ago

Initial creation