PT-2026-27621 · Nats.Io · Nats Server

Published

2026-03-24

Updated

2026-05-21

CVE-2026-33248

CVSS v3.1

4.2

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server, a high-performance server for NATS.io, a cloud and edge native messaging system, has an issue where, when using mTLS for client identity with verify and map to derive a NATS identity from the client certificate's Subject DN, certain patterns of Relative Distinguished Name (RDN) are not correctly enforced, potentially allowing for authentication bypass. This requires a valid certificate from a trusted Certificate Authority (CA) and specific DN naming patterns. The maintainers consider exploitation unlikely, but sophisticated administrators with specific DN construction patterns might be impacted.

Recommendations Update NATS-Server to version 2.11.15 or later. Update NATS-Server to version 2.12.6 or later. Review CA issuing practices.

Exploit

Fix

Improper Authentication

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-295

Related Identifiers

BIT-NATS-2026-33248

CVE-2026-33248

GHSA-3F24-PCVM-5JQC

GO-2026-4828

SUSE-SU-2026:1135-1

Affected Products

Nats Server

PT-2026-27621 · Nats.Io · Nats Server

CVE-2026-33248

Weakness Enumeration

Related Identifiers

Affected Products

References · 157