CVE-2026-29771
Denial of Service via Shutdown Endpoint in Netmaker Server
Publication date: 2026-03-07
Last updated on: 2026-05-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netmaker | netmaker | From 1.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29771 is a high-severity Denial of Service (DoS) vulnerability in Netmaker versions prior to 1.2.0. It exists because the /api/server/shutdown endpoint allows any user to terminate the Netmaker server process by sending a syscall SIGINT signal.
This unauthorized access enables repeated shutdowns of the server, causing a cyclic DoS condition where the server restarts approximately every 3 seconds.
The vulnerability is classified under CWE-404, which means the product improperly shuts down or releases resources.
This issue was fixed in Netmaker version 1.2.0.
How can this vulnerability impact me? :
This vulnerability can cause a cyclic denial of service on the Netmaker server by allowing any user to repeatedly shut down the server process.
As a result, the server will be unavailable or unstable, restarting approximately every 3 seconds, which can disrupt network operations and services relying on Netmaker.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for repeated shutdown and restart cycles of the Netmaker server process occurring approximately every 3 seconds.'}, {'type': 'paragraph', 'content': 'Additionally, network traffic analysis can be performed to detect unauthorized requests to the /api/server/shutdown endpoint.'}, {'type': 'paragraph', 'content': 'Commands to help detect this behavior might include:'}, {'type': 'list_item', 'content': 'Using system process monitoring tools such as: `ps aux | grep netmaker` repeatedly to observe frequent restarts.'}, {'type': 'list_item', 'content': 'Checking server logs for repeated shutdown requests or errors related to the server process.'}, {'type': 'list_item', 'content': "Using network monitoring tools like `tcpdump` or `wireshark` to capture and filter HTTP requests to the /api/server/shutdown endpoint, for example: `tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/server/shutdown'`."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Netmaker to version 1.2.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the /api/server/shutdown endpoint to trusted users only, for example by implementing network-level access controls or firewall rules.
Monitoring and alerting on repeated shutdown attempts can also help in early detection and response.