CVE-2026-29196

High CVSS: 8.7

Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.

Vendor

Gravitl

Product

Netmaker

CWE

CWE-863

Yayın Tarihi

2026-03-07 17:15:52

Güncelleme

2026-03-12 13:44:29

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-863 Netmaker HIGH Gravitl 2026

Referanslar

https://github.com/gravitl/netmaker/releases/tag/v1.5.0 https://github.com/gravitl/netmaker/security/advisories/GHSA-4hgg-c4rr-6h7f

Benzer Kayıtlar

Medium

CVE-2026-29195

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lack…

High

CVE-2026-29194

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validat…

High

CVE-2026-29771

Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of…