Main Vulnerability Database Vulnerabilities #VU128021

Incorrect authorization in Netmaker - CVE-2026-29196

Published: April 27, 2026

Vulnerability identifier: #VU128021

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-29196

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GRAVITL

Affected software:
Netmaker

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in GET /api/extclients/{network} and GET /api/nodes/{network} when handling requests for network configuration records. A remote user can send a crafted API request to disclose sensitive information.

The issue exposes WireGuard private keys from wireguard configs across the network because returned records are not filtered based on the requesting user's ownership.

How to mitigate CVE-2026-29196

Install security update from vendor's website.

Sources

https://github.com/gravitl/netmaker/security/advisories/GHSA-4hgg-c4rr-6h7f

Incorrect authorization in Netmaker - CVE-2026-29196

Detailed vulnerability description

How to mitigate CVE-2026-29196

Sources

Please verify you're human