CVE-2026-29194

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gravitl/netmaker/releases/tag/v1.5.0	Product Release Notes
https://github.com/gravitl/netmaker/security/advisories/GHSA-hmqr-wjmj-376c	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*

History

11 Mar 2026, 16:46

Type	Values Removed	Values Added
Summary		(es) Netmaker crea redes con WireGuard. Antes de la versión 1.5.0, el middleware Authorize en Netmaker valida incorrectamente los tokens JWT de host. Cuando una ruta permite la autenticación de host (hostAllowed=true), un token de host válido omite todas las comprobaciones de autorización posteriores sin verificar que el host está autorizado para acceder al recurso específico solicitado. Cualquier entidad que posea conocimiento de identificadores de objeto (IDs de nodo, IDs de host) puede elaborar una solicitud con un token de host válido arbitrario para acceder, modificar o eliminar recursos pertenecientes a otros hosts. Los endpoints afectados incluyen la recuperación de información de nodo, la eliminación de host, la transmisión de señal MQTT, las actualizaciones de host de respaldo y las operaciones de conmutación por error. Este problema ha sido parcheado en la versión 1.5.0.
First Time		Gravitl netmaker Gravitl
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
CPE		cpe:2.3:a:gravitl:netmaker::::::::
References	~~() https://github.com/gravitl/netmaker/releases/tag/v1.5.0 -~~	() https://github.com/gravitl/netmaker/releases/tag/v1.5.0 - Product, Release Notes
References	~~() https://github.com/gravitl/netmaker/security/advisories/GHSA-hmqr-wjmj-376c -~~	() https://github.com/gravitl/netmaker/security/advisories/GHSA-hmqr-wjmj-376c - Vendor Advisory

07 Mar 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 16:15

Updated : 2026-03-11 16:46

NVD link : CVE-2026-29194

Mitre link : CVE-2026-29194

CVE.ORG link : CVE-2026-29194

JSON object : View

Products Affected

gravitl

netmaker

CWE

CWE-863

Incorrect Authorization

8.1 /10