CVE-2026-47724 — github.com/juev/nebula-mesh
Missing AuthorizationThe /api/v1/* route surface trusts the bearer token alone for authorisation on most endpoints. The codebase itself admits this at internal/api/hosts.go:384: "API trusts the bearer token for authorisation; per-CA ownership is enforced only in the Web layer."
The Web UI gates state-changing routes through loadAccessibleCA (internal/web/cas.go); CA-management endpoints in internal/api/cas.go ALSO have proper canAccessCA gates. The gap is on the host, network, firewall, mobile-bundle, and most operator endpoints. Combined with the per-operator CA model from ADR 0002, this gives any non-admin operator API key broad cross-tenant access — instant privilege escalation in the worst case.
Affected
All released versions prior to v0.3.4.
Exploit chain
A) Mint admin API key from any operator key (instant privilege escalation)
internal/api/operators.go:118 — handleCreateOperatorAPIKey does no admin check and no actor/target-operator ownership check. Any operator key can call it for any operator (including admins) and receive a fresh bearer.
curl -X POST -H "Authorization: Bearer <low-priv-key>" \
https://server/api/v1/operators/<admin-id>/api-keys \
-H 'Content-Type: application/json' -d '{"name":"oops"}'
# Returns: {"key":"<32-byte admin bearer>","entry":{...}}
Reuse the returned key for subsequent requests → full admin.
B) Cross-operator host takeover via reenroll
internal/api/hosts.go:321,330 → mintEnrollmentTokenForHost. Looks up host by URL param, mints a single-use enrollment token, returns it. No ownership check.
curl -X POST -H "Authorization: Bearer <low-priv-key>" \
https://server/api/v1/hosts/<victim-host-id>/reenroll
# Returns: {"enrollment_token":"<uuid>",...}
Caller POSTs /api/v1/enroll with their own X25519 + Ed25519 keypairs. enroll.go:175 overwrites signing_pub_pem; SaveCertificateAndEnrollHost overwrites the cert. Legitimate agent's next signed poll fails bad_signature. Attacker now owns the victim's Nebula identity.
C) Cross-tenant CRUD on hosts, networks, firewall
The same gap applies across:
/api/v1/hosts*— create, list, get, update, delete, block, unblock/api/v1/networks*— create, list, get/api/v1/networks/{id}/firewall— get, PUT/api/v1/hosts/{id}/mobile-bundle(already filed as public issue #119)
All trust bearer-auth alone. Any operator can read or mutate any other operator's resources.
Affected operator-management handlers (in addition to A)
Beyond handleCreateOperatorAPIKey (covered by A), internal/api/operators.go is missing admin gates on:
handleListOperators(line 66) — operator roster info disclosurehandleDisableOperator(line 79) — DoS / sabotagehandleEnableOperator(line 94) — re-enable disabled operatorshandleRevokeOperatorAPIKey(line 157) — invalidate any operator's API keyshandleListOperatorAPIKeys(line 173) — API-key metadata disclosure
handleCreateOperator (line 26) IS properly gated (actorIsAdmin at line 27).
NOT affected (verified)
internal/api/cas.go properly gates every CA endpoint via canAccessCA (calls at lines 70, 176, 216) and admin shortcuts at lines 39, 82. An earlier description draft mistakenly listed /api/v1/cas/{id}/rotate as affected — that endpoint is properly protected. CAs are not in this gap.
Impact
- Any non-admin operator → admin via one curl (A).
- Any non-admin operator → ownership of any victim's hosts with cert + identity transfer (B).
- Mass cross-tenant CRUD including firewall-rule mutation (C).
- Any operator → disable/enable other operators, revoke their API keys, enumerate the operator roster.
CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.6.
Suggested fix
Shared helpers in a new internal/api/authz.go, mirroring the Web layer's loadAccessibleCA:
func (s *Server) requireAdmin(w http.ResponseWriter, r *http.Request) bool
func (s *Server) requireOperatorAccess(w http.ResponseWriter, r *http.Request, operatorID string) bool
func (s *Server) requireHostAccess(w http.ResponseWriter, r *http.Request, hostID string) (*models.Host, bool)
func (s *Server) requireNetworkAccess(w http.ResponseWriter, r *http.Request, networkID string) (*models.Network, bool)
Each loads the resource, resolves its CA via *.CAID, accepts if actorIsAdmin(ctx) OR actor owns the CA. Reject 403 forbidden; audit-log api.<resource>.forbidden with the reason.
The operator-management endpoints take requireAdmin instead (operator ownership doesn't map to CA ownership).
Apply at the top of every host-, network-, firewall-, mobile-bundle-touching API handler, plus the 5 operator endpoints listed above. The legacy config-key path retains admin (preserves backward compatibility); the broader legacy-fallback question is tracked separately as issue #121.
Test matrix
- admin → all operations permitted
- owning non-admin → operations on owned hosts/networks permitted
- non-owner non-admin → 403 + audit entry
- legacy config-key → preserved (admin)
- unauthenticated → existing 401 from middleware
Coordinated context
Subsumes public issue #119 (mobile-bundle authz). Issue #121 (actor.go:40 legacy-admin fallback) is a separate concern tracked independently.
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.