CVE-2026-33308

Name of the Vulnerable Software and Affected Versions Mod gnutls versions prior to 0.13.0

Description Mod gnutls, a TLS module for Apache HTTPD based on GnuTLS, had an issue where the code for client certificate verification did not validate the key purpose as defined in the Extended Key Usage extension. This could allow an attacker possessing the private key of a valid certificate, issued by a trusted CA for TLS client authentication but intended for a different purpose, to gain unauthorized access to resources requiring TLS client authentication. Server configurations not utilizing client certificates are not affected. The issue does not have a practical impact if dedicated Certificate Authorities (CAs) or sub-CAs are used solely for issuing TLS client certificates. The function gnutls certificate verify peers() is involved in the verification process.

Recommendations Versions prior to 0.13.0 should be updated to version 0.13.0 or later.