cvedb.io
CVE-2026-33308
MEDIUM · CVSS 6.8
EPSS exploitation probability: 0%
Published 2026-03-24T03:16:06.080 · Last modified 2026-06-17T10:37:17.780

Summary

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for client certificate verification did not check the key purpose as set in the Extended Key Usage extension. An attacker with access to the private key for a valid certificate issued by a CA trusted for TLS client authentication but designated for a different purpose could have used that certificate to improperly access resources requiring TLS client authentication. Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, and requiring key purpose id-kp-clientAuth (also known as `tls_www_client` in GnuTLS) by defa

Affected products

mod_gnutls_project — mod_gnutls

Does this affect you?

Add your gear to cvedb and we'll alert you only when mod_gnutls_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.