Description
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
Published: 2026-04-28
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the VerifyHostToken function of Netmaker’s logic/jwts.go, where the JWT signature is not validated when verifying host tokens. An attacker can forge a token signed with any arbitrary key and use it to impersonate any host within the network, gaining access to sensitive information and potentially other services. This flaw aligns with CWE-347, involving the use of invalid signing keys, and the issue enables a direct authentication bypass for host identities.

Affected Systems

All Netmaker installations running versions prior to 1.5.0 are impacted. This includes both community and commercial distributions that rely on JWT tokens for host authentication in software‑defined networking and VPN environments.

Risk and Exploitability

The likely attack vector is network-based, as forged tokens can be inserted into API traffic between hosts. The data indicates no EPSS score and no inclusion in the CISA KEV catalog. A CVSS score of 8.2 reflects a medium‑high severity authentication bypass, threatening confidentiality and integrity across the network.

Generated by OpenCVE AI on April 29, 2026 at 02:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netmaker to version 1.5.0 or later, which includes proper JWT signature validation in VerifyHostToken.
  • If an upgrade cannot be applied immediately, enforce strict firewall rules or IP filtering to block unauthorized token submissions and restrict API access only to trusted hosts.
  • Audit existing deployments for any previously issued tokens signable with arbitrary keys and revoke or regenerate them to ensure only valid tokens are in use.

Generated by OpenCVE AI on April 29, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Netmaker Host JWT Signature Verification Bypass

Tue, 28 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Netmaker Host JWT Signature Verification Bypass
Weaknesses CWE-306

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Tue, 28 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravitl
Gravitl netmaker
Vendors & Products Gravitl
Gravitl netmaker

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
References

Subscriptions

Gravitl Netmaker
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-28T17:34:42.863Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38651

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T16:16:13.443

Modified: 2026-04-28T20:23:20.703

Link: CVE-2026-38651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses