VDB

DEBIAN-CVE-2026-33248

DEBIAN-CVE-2026-33248 PUBLISHED CVSS 4.199999809265137 MEDIUM

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices.

Risk Scores

CVSS 3.1
4.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
Debian:14nats-server0, 2.10.27-1, 2.12.4-1
Debian:13nats-server2.12.4-1, 0, 2.12.6-1
Debian:12nats-server2.10.1-1, 2.10.16-1, 2.10.18-1

Exploit Intelligence

Timeline

  • Mar 25, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›