Executive Summary

CVE-2026-29195 is a privilege escalation vulnerability in Netmaker versions prior to 1.5.0. It occurs because the user update handler (PUT /api/users/{username}) does not properly validate role changes during account updates.

While the system prevents an admin user from assigning the admin role to another user, it fails to prevent an admin from assigning the super-admin role. This means an attacker with admin privileges can escalate their role to super-admin by modifying user data via the update API.

This vulnerability is classified as CWE-863 (Incorrect Authorization) due to incomplete authorization checks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin privileges to escalate their role to super-admin, granting them the highest level of access within the Netmaker system.

With super-admin privileges, the attacker can perform unrestricted actions, potentially compromising the entire network management environment, altering configurations, accessing sensitive data, and disrupting operations.

Such unauthorized privilege escalation can lead to significant security breaches and loss of control over the affected system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized role escalation via the user update API endpoint (PUT /api/users/{username}) in Netmaker versions prior to 1.5.0. Detection can focus on monitoring API requests that attempt to modify user roles, especially those where an admin user tries to assign the super-admin role.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation by inspecting logs or network traffic for PUT requests to the /api/users/ endpoint that include changes to the super-admin role.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep on server logs to find PUT requests modifying user roles: grep 'PUT /api/users/' /var/log/netmaker/access.log | grep 'super-admin'"}, {'type': 'list_item', 'content': "Using tcpdump or Wireshark to capture and filter HTTP PUT requests to /api/users/: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PUT /api/users/'"}, {'type': 'list_item', 'content': 'If using JSON logs, use jq to filter role changes to super-admin: jq \'.request.body.role == "super-admin"\' /var/log/netmaker/access.log'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Netmaker to version 1.5.0 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict admin users' ability to access or use the user update API endpoint to prevent unauthorized role escalation."}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit user role changes closely to detect any suspicious privilege escalations.'}] [1]

Useful 0 Not Useful 0