The Netmaker API endpoint for updating user accounts contains a missing authorization check that allows an administrator to elevate their privileges to super‑admin. When a user with the admin role sends a request to the user update handler and sets the role field to super‑admin, the server accepts the change because the code only prevents admins from giving other users the admin role. The result is that a regular admin can obtain full control over the entire Netmaker platform, including network configuration, user management, and deployment of WireGuard nodes, effectively bypassing the intended role hierarchy.

The flaw exists in all deployments of gravitl:netmaker that are running versions earlier than 1.5.0. Administrators operating these installations are at risk if their API token or web session is compromised or if they use weak authentication for the API.

The vulnerability has a CVSS score of 6.9, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. However, the attack vector is straightforward: an attacker who can authenticate as an admin and issue an HTTPS request to the update endpoint can supply a super‑admin role value. Because the API uses bearer tokens, credential compromise or social engineering can provide the necessary access. The lack of an additional role‑check allows the privilege escalation without any other prerequisites.