216.73.216.233

CVE-2026-29194

· Published 07/03/2026 16:15 · Modified 07/03/2026 16:15

Labels: CVE-2026-29194 2026-03-07CVE-2026-29194CWE-863[email protected]

Essential information

Published
07/03/2026 16:15
Modified
07/03/2026 16:15
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
netmaker / netmaker cpe:2.3:a:netmaker:netmaker:<1.5.0:*:*:*:*:*:*:*

References