CVE-2026-29196
Received Received - Intake
Unauthorized Access to WireGuard Private Keys in Netmaker API

Publication date: 2026-03-07

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29196
EUVD
EUVD-2026-10161
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gravitl netmaker to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29196 is a vulnerability in Netmaker versions prior to 1.5.0 that allows a user with the platform-user role to retrieve WireGuard private keys for all WireGuard configurations within a network.'}, {'type': 'paragraph', 'content': "This happens because the API endpoints GET /api/extclients/{network} and GET /api/nodes/{network} return full records including private keys without properly filtering based on the requesting user's ownership or permissions."}, {'type': 'paragraph', 'content': 'The root cause is an incorrect authorization check (CWE-863), where the system performs authorization but fails to enforce it properly, allowing unauthorized access to sensitive private keys.'}, {'type': 'paragraph', 'content': 'The Netmaker UI restricts key visibility, but the API endpoints do not, leading to this exposure.'}, {'type': 'paragraph', 'content': 'This issue has been fixed in Netmaker version 1.5.0.'}] [1]

Impact Analysis

This vulnerability can have a severe impact because it exposes WireGuard private keys to users who should not have access to them.

With access to private keys, an attacker or unauthorized user could potentially decrypt network traffic, impersonate network nodes, or gain unauthorized access to the network.

Such exposure compromises the confidentiality and integrity of the network communications secured by WireGuard.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the API endpoints that expose WireGuard private keys without proper authorization.'}, {'type': 'list_item', 'content': 'Use an HTTP client or command-line tool like curl to call the endpoints GET /api/extclients/{network} or GET /api/nodes/{network} on your Netmaker server.'}, {'type': 'list_item', 'content': 'For example, run: curl -X GET https://<netmaker-server>/api/extclients/<network> or curl -X GET https://<netmaker-server>/api/nodes/<network>'}, {'type': 'list_item', 'content': "If the response contains WireGuard private keys for all configurations in the network regardless of the requesting user's ownership or permissions, the vulnerability is present."}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Netmaker to version 1.5.0 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict platform-user role access to trusted users only, as this role can exploit the vulnerability to retrieve private keys.

Additionally, monitor and audit API access to the endpoints GET /api/extclients/{network} and GET /api/nodes/{network} to detect any unauthorized attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart