Netmaker - Hardcoded DNS Secret Key

Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. id: CVE-2023-32077 info: name: Netmaker - Hardcoded DNS Secret Key author: iamnoooob,rootxharsh,pdresearch...

Authorization Bypass

Netmaker is vulnerable to Authorization Bypass. The vulnerability is due to improper authorization logic in the Authorize middleware, where a valid host JWT token is accepted when hostAllowed=true without verifying that the host is authorized to access the specific target resource, allowing acces...

CVE-2026-38651

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network...

CVE-2026-38651

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network...

CVE-2026-38651

CVE-2026-38651 concerns Netmaker (versions prior to 1.5.0). The root cause is a JWT verification flaw in VerifyHostToken (logic/jwts.go) that fails to validate signatures, enabling an attacker to forge a host token with any key to impersonate a host and access sensitive information. The CVSS 3.1 ...

EUVD-2026-26062

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network...

CVE-2026-38651

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network...

Gravitl Netmaker 数据伪造问题漏洞

Gravitl Netmaker is a platform developed by the American company Gravitl, which uses WireGuard to create and manage fast, secure, and dynamic virtual overlay networks. It is used to create and control automated virtual networks. Versions of Gravitl Netmaker prior to 1.5.0 contained a data...

SUSE CVE-2026-29194

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication hostAllowed=true, a valid host token bypasses all subsequent authorization checks without verifying that the host is...

SUSE CVE-2026-29195

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to...

SUSE CVE-2026-29196

Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/network or GET /api/nodes/network. While the Netmaker UI restricts visibility, the API...

SUSE CVE-2026-29771

Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart...

GO-2026-4654 Netmaker has Privilege Escalation from Admin to Super-Admin via User Update in github.com/gravitl/netmaker

Netmaker has Privilege Escalation from Admin to Super-Admin via User Update in github.com/gravitl/netmaker...

GO-2026-4651 Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys in github.com/gravitl/netmaker

Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys in github.com/gravitl/netmaker...

GO-2026-4655 Netmaker has Insufficient Authorization in Host Token Verification in github.com/gravitl/netmaker

Netmaker has Insufficient Authorization in Host Token Verification in github.com/gravitl/netmaker...

GO-2026-4608 Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint in github.com/gravitl/netmaker

Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint in github.com/gravitl/netmaker...

Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys

A user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/network or GET /api/nodes/network. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the GET /api/extclients/network or GET /api/nodes/network endpoints. An attacker can obtain sensitive WireGuard private keys belonging to other users by sending requests to these API endpoints, as the respons...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the GET /api/extclients/network or GET /api/nodes/network endpoints. An attacker can obtain sensitive WireGuard private keys belonging to other users by sending requests to these API endpoints, as the respons...

GHSA-4HGG-C4RR-6H7F Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys

A user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/network or GET /api/nodes/network. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without...