CVE-2026-29194
Received Received - Intake
Improper Host JWT Validation in Netmaker Enables Unauthorized Access

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29194
EUVD
EUVD-2026-10159
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gravitl netmaker to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows unauthorized access to sensitive resources within the Netmaker network. An attacker with knowledge of object identifiers can use valid host tokens to bypass authorization controls and perform unauthorized actions such as accessing, modifying, or deleting data belonging to other hosts.

  • Compromise of node information and host data.
  • Unauthorized deletion of hosts.
  • Manipulation of MQTT signals.
  • Unauthorized updates to fallback hosts and failover operations.

Overall, this can lead to significant security breaches, data integrity issues, and potential disruption of network operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

CVE-2026-29194 is an insufficient authorization vulnerability in Netmaker versions prior to 1.5.0. The issue occurs because the Authorize middleware incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), the middleware accepts any valid host token and bypasses all further authorization checks without verifying if the host is authorized to access the specific requested resource.

This means that any attacker who knows object identifiers like node IDs or host IDs can craft requests using arbitrary valid host tokens to access, modify, or delete resources that belong to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Netmaker to version 1.5.0 or later, where the issue with improper validation of host JWT tokens has been fixed.

This update addresses the insufficient authorization vulnerability by correctly validating host tokens and ensuring that hosts are authorized to access specific requested resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart