Incorrect authorization in Netmaker - CVE-2026-29194
Published: April 27, 2026
Vulnerability identifier: #VU128019
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-29194
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GRAVITL
Affected software:
Netmaker
Netmaker
Detailed vulnerability description
The vulnerability allows a remote user to access, modify, or delete resources belonging to other hosts.
The vulnerability exists due to incorrect authorization in the Authorise middleware when handling requests to routes that permit host authentication. A remote user can send a request with an arbitrary valid host token and knowledge of object identifiers to access, modify, or delete resources belonging to other hosts.
Affected operations include node information retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations.
How to mitigate CVE-2026-29194
Install security update from vendor's website.