SB2026042754 - Multiple vulnerabilities in Netmaker
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-29194)
The vulnerability allows a remote user to access, modify, or delete resources belonging to other hosts.
The vulnerability exists due to incorrect authorization in the Authorise middleware when handling requests to routes that permit host authentication. A remote user can send a request with an arbitrary valid host token and knowledge of object identifiers to access, modify, or delete resources belonging to other hosts.
Affected operations include node information retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations.
2) Incorrect authorization (CVE-ID: CVE-2026-29195)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the user update handler when handling PUT /api/users/{username} requests. A remote user can send a crafted user update request to escalate privileges.
The issue allows an admin-role user to assign the super-admin role during account updates.
3) Incorrect authorization (CVE-ID: CVE-2026-29196)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in GET /api/extclients/{network} and GET /api/nodes/{network} when handling requests for network configuration records. A remote user can send a crafted API request to disclose sensitive information.
The issue exposes WireGuard private keys from wireguard configs across the network because returned records are not filtered based on the requesting user's ownership.
Remediation
Install update from vendor's website.