CVE-2026-29194
Improper Host JWT Validation in Netmaker Enables Unauthorized Access
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gravitl | netmaker | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthorized access to sensitive resources within the Netmaker network. An attacker with knowledge of object identifiers can use valid host tokens to bypass authorization controls and perform unauthorized actions such as accessing, modifying, or deleting data belonging to other hosts.
- Compromise of node information and host data.
- Unauthorized deletion of hosts.
- Manipulation of MQTT signals.
- Unauthorized updates to fallback hosts and failover operations.
Overall, this can lead to significant security breaches, data integrity issues, and potential disruption of network operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
CVE-2026-29194 is an insufficient authorization vulnerability in Netmaker versions prior to 1.5.0. The issue occurs because the Authorize middleware incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), the middleware accepts any valid host token and bypasses all further authorization checks without verifying if the host is authorized to access the specific requested resource.
This means that any attacker who knows object identifiers like node IDs or host IDs can craft requests using arbitrary valid host tokens to access, modify, or delete resources that belong to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Netmaker to version 1.5.0 or later, where the issue with improper validation of host JWT tokens has been fixed.
This update addresses the insufficient authorization vulnerability by correctly validating host tokens and ensuring that hosts are authorized to access specific requested resources.