CVE-2026-29194
Received Received - Intake

Improper Host JWT Validation in Netmaker Enables Unauthorized Access

Vulnerability report for CVE-2026-29194, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-07-06
AI Q&A
2026-03-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gravitl netmaker to 1.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows unauthorized access to sensitive resources within the Netmaker network. An attacker with knowledge of object identifiers can use valid host tokens to bypass authorization controls and perform unauthorized actions such as accessing, modifying, or deleting data belonging to other hosts.

  • Compromise of node information and host data.
  • Unauthorized deletion of hosts.
  • Manipulation of MQTT signals.
  • Unauthorized updates to fallback hosts and failover operations.

Overall, this can lead to significant security breaches, data integrity issues, and potential disruption of network operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

CVE-2026-29194 is an insufficient authorization vulnerability in Netmaker versions prior to 1.5.0. The issue occurs because the Authorize middleware incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), the middleware accepts any valid host token and bypasses all further authorization checks without verifying if the host is authorized to access the specific requested resource.

This means that any attacker who knows object identifiers like node IDs or host IDs can craft requests using arbitrary valid host tokens to access, modify, or delete resources that belong to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Netmaker to version 1.5.0 or later, where the issue with improper validation of host JWT tokens has been fixed.

This update addresses the insufficient authorization vulnerability by correctly validating host tokens and ensuring that hosts are authorized to access specific requested resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart