Description
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.
Published: 2026-03-07
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Resource Access
Action: Apply Patch
AI Analysis

Impact

Netmaker employs the Authorize middleware to verify host JWT tokens, but prior to version 1.5.0 a flaw allowed a token that simply matched the hostAllowed flag to pass all subsequent authorization checks without confirming the host’s specific rights. As a result, any party possessing a valid host token and knowledge of object identifiers such as node or host IDs could reach endpoints that permit retrieval, modification, or deletion of resources belonging to other hosts, including node information, host deletion, MQTT signalling, fallback host updates, and failover operations. The weakness is an instance of CWE‑863: Authorization Bypass Through User-Controlled Key.

Affected Systems

The vulnerability affects the Netmaker product by the vendor gravitl. All releases before v1.5.0 are impacted. Endpoints listed in the advisory – node info retrieval, host deletion, MQTT signal transmission, fallback host updates and failover operations – lack proper authorization checks for host tokens.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity while the EPSS score of less than 1% shows that exploitation is unlikely to be widespread or automated. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to hold a valid host JWT token and knowledge of target identifiers, making the exploit considered feasible by an actively privileged or compromised host but not easily achievable by external unauthenticated actors. Nevertheless, the impact once exploited can be significant due to the full range of accessible resources.

Generated by OpenCVE AI on April 16, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy Netmaker v1.5.0 or later to incorporate the authorization fix.
  • Reconfigure or disable any endpoint that permits hostAllowed=true without host‑specific checks so that all access requires full host validation.
  • Use network segmentation or firewall rules to limit exposure of node and host identifiers to only verification and management systems.
  • Rotate existing host tokens and enforce short expiration times to reduce the window of exploitation for stolen or compromised tokens.

Generated by OpenCVE AI on April 16, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hmqr-wjmj-376c Netmaker has Insufficient Authorization in Host Token Verification
History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gravitl
Gravitl netmaker
Vendors & Products Gravitl
Gravitl netmaker

Sat, 07 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.
Title Netmaker: Insufficient Authorization in Host Token Verification
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gravitl Netmaker
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:25:50.045Z

Reserved: 2026-03-04T14:44:00.715Z

Link: CVE-2026-29194

cve-icon Vulnrichment

Updated: 2026-03-09T17:39:44.381Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:54.507

Modified: 2026-03-11T16:46:09.480

Link: CVE-2026-29194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses