CVE-2026-29196
Unauthorized Access to WireGuard Private Keys in Netmaker API
Publication date: 2026-03-07
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gravitl | netmaker | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-29196 is a vulnerability in Netmaker versions prior to 1.5.0 that allows a user with the platform-user role to retrieve WireGuard private keys for all WireGuard configurations within a network.'}, {'type': 'paragraph', 'content': "This happens because the API endpoints GET /api/extclients/{network} and GET /api/nodes/{network} return full records including private keys without properly filtering based on the requesting user's ownership or permissions."}, {'type': 'paragraph', 'content': 'The root cause is an incorrect authorization check (CWE-863), where the system performs authorization but fails to enforce it properly, allowing unauthorized access to sensitive private keys.'}, {'type': 'paragraph', 'content': 'The Netmaker UI restricts key visibility, but the API endpoints do not, leading to this exposure.'}, {'type': 'paragraph', 'content': 'This issue has been fixed in Netmaker version 1.5.0.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have a severe impact because it exposes WireGuard private keys to users who should not have access to them.
With access to private keys, an attacker or unauthorized user could potentially decrypt network traffic, impersonate network nodes, or gain unauthorized access to the network.
Such exposure compromises the confidentiality and integrity of the network communications secured by WireGuard.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the API endpoints that expose WireGuard private keys without proper authorization.'}, {'type': 'list_item', 'content': 'Use an HTTP client or command-line tool like curl to call the endpoints GET /api/extclients/{network} or GET /api/nodes/{network} on your Netmaker server.'}, {'type': 'list_item', 'content': 'For example, run: curl -X GET https://<netmaker-server>/api/extclients/<network> or curl -X GET https://<netmaker-server>/api/nodes/<network>'}, {'type': 'list_item', 'content': "If the response contains WireGuard private keys for all configurations in the network regardless of the requesting user's ownership or permissions, the vulnerability is present."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Netmaker to version 1.5.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict platform-user role access to trusted users only, as this role can exploit the vulnerability to retrieve private keys.
Additionally, monitor and audit API access to the endpoints GET /api/extclients/{network} and GET /api/nodes/{network} to detect any unauthorized attempts.