Description
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.
Published: 2026-03-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Private Keys
Action: Immediate Patch
AI Analysis

Impact

Netmaker enables the creation of WireGuard-based virtual networks. Prior to version 1.5.0, a user assigned the platform‑user role could retrieve the private keys of all WireGuard configurations in a network by calling the API endpoints GET /api/extclients/{network} or GET /api/nodes/{network}. The API returned full records, including private keys, without filtering them, contrary to the UI restrictions. This flaw allows an attacker to obtain the keys that grant full network access, and based on the description it is inferred that this could enable them to impersonate nodes or compromise network confidentiality, but the description does not specify precise downstream effects. Based on the description, it is inferred that this access could facilitate unauthorized network participation.

Affected Systems

The vulnerability affects the Netmaker platform distributed by gravitl. All deployments running versions earlier than 1.5.0 are susceptible. Later releases contain a fix that removes the API exposure of private keys.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. The EPSS score is below 1 %, suggesting exploitation is unlikely currently. The vulnerability is not listed in the CISA KEV catalogue. Attackers with a platform‑user account that has network access can use the vulnerable API endpoints to retrieve private keys. It is inferred that gaining the private keys could allow the attacker to bypass usual network authentication, but the description does not detail specific downstream attacks. Based on the description it is inferred that the potential for serious compromise exists, but the precise extent depends on the network context.

Generated by OpenCVE AI on April 18, 2026 at 09:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netmaker to version 1.5.0 or later, which removes the API endpoint that exposes private keys.
  • Restrict platform‑user permissions to only the networks necessary, limiting the scope of credentials that can call the vulnerable API endpoints.
  • Audit and configure API access controls to enforce filtering of sensitive data, ensuring private keys are never returned in responses.

Generated by OpenCVE AI on April 18, 2026 at 09:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4hgg-c4rr-6h7f Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys
History

Thu, 12 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gravitl
Gravitl netmaker
Vendors & Products Gravitl
Gravitl netmaker

Sat, 07 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.
Title Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gravitl Netmaker
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:25:32.679Z

Reserved: 2026-03-04T14:44:00.715Z

Link: CVE-2026-29196

cve-icon Vulnrichment

Updated: 2026-03-09T17:43:36.180Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T17:15:52.017

Modified: 2026-03-12T13:44:29.150

Link: CVE-2026-29196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses