CVE-2026-63089
Received Received - Intake

Weak Token Generation in WireGuard Easy Allows VPN Peer Impersonation

Vulnerability report for CVE-2026-63089, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID, as the token is computed using CRC32 over a random value constrained to 0-999. Attackers can enumerate candidate tokens against the unauthenticated /cnf/:oneTimeLink route, which lacks rate limiting and does not validate token expiration, to obtain a peer's PrivateKey and PresharedKey and impersonate that peer on the VPN network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wg_easy wireguard_easy to 15.3.0 (inc)
wireguard easy to 15.3.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

WireGuard Easy through 15.3.0 has a cryptographically weak one-time link token generation vulnerability. Tokens are generated using CRC32 over a random value limited to 0-999, creating a small keyspace of at most 1000 possible tokens per client ID. Unauthenticated attackers can brute-force these tokens via the /cnf/:oneTimeLink route to recover WireGuard peer credentials like PrivateKey and PresharedKey, enabling VPN impersonation.

Detection Guidance

To detect this vulnerability, monitor network traffic for repeated requests to the /cnf/:oneTimeLink route. Check for brute-force attempts by analyzing logs for multiple failed token validation attempts. Use tools like tcpdump or Wireshark to capture traffic to this endpoint. Additionally, verify if WireGuard Easy versions up to 15.3.0 are installed on your system.

Impact Analysis

An attacker could impersonate VPN peers by brute-forcing tokens and stealing credentials. This allows unauthorized access to the VPN network, potentially intercepting traffic, accessing sensitive data, or launching further attacks. The lack of rate limiting and expiration checks makes exploitation feasible.

Compliance Impact

This vulnerability likely violates compliance requirements for data protection and access control. It enables unauthorized access to VPN networks, risking exposure of sensitive data. GDPR and HIPAA mandate strong authentication and encryption; this flaw undermines those controls, potentially leading to regulatory penalties.

Mitigation Strategies

Immediately update WireGuard Easy to the latest version that includes commit 66b292b or later. Ensure one-time link tokens have short expiration windows and are single-use. Disable Basic Authentication if Password Authentication is turned off. Implement rate limiting on the /cnf/:oneTimeLink route to prevent brute-force attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart