nebula-mesh CVE-2026-47723
HIGHLifecycle Timeline
2DescriptionCVE.org
None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase.
Impact
The admin UI signs CA certificates, mints API keys (returned inline once per page), displays TOTP QR codes, and exposes operator-management forms. Missing X-Frame-Options: DENY / frame-ancestors 'none' is a real clickjacking lever against an admin browsing /ui/operators/* or /ui/cas/*. Missing X-Content-Type-Options: nosniff allows MIME confusion on any user-supplied content surface. Missing HSTS on TLS deployments leaves a downgrade window.
Affected
All released versions up to v0.3.0.
Suggested fix
A single response-header middleware mounted at the chi router root in both /ui/* and /api/* paths:
func securityHeadersMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
h := rw.Header()
h.Set("Content-Security-Policy",
"default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'")
h.Set("X-Content-Type-Options", "nosniff")
h.Set("Referrer-Policy", "same-origin")
h.Set("X-Frame-Options", "DENY") // belt-and-braces; CSP frame-ancestors is the modern path
if r.TLS != nil {
h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
}
next.ServeHTTP(rw, r)
})
}The inline <script> in layout.html for CSRF wiring (added in the CSRF advisory) will need either a nonce, a hash in CSP, or external-file extraction. Easiest path: a nonce per request (crypto/rand, base64) injected into both the CSP header and the script's nonce="" attribute.
AnalysisAI
Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.
Technical ContextAI
nebula-mesh is a Go application built on the chi router, where response handlers in internal/web/ and internal/api/ never emit standard browser hardening headers - Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, and Referrer-Policy are entirely absent from the codebase. The root cause maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), the canonical class for clickjacking exposure. Because chi middleware was never wired with a security-header layer, every response path - including high-sensitivity admin endpoints under /ui/operators/* and /ui/cas/* - relies on browser defaults, leaving the application embeddable in attacker-controlled frames and vulnerable to content-type sniffing on any user-influenced payload. CPE pkg:go/github.com_juev_nebula-mesh identifies the affected Go module.
RemediationAI
Vendor-released patch: nebula-mesh v0.3.1, available at https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.1 with the fix commit at https://github.com/forgekeep/nebula-mesh/commit/b45fda5476c41ffcff1ca23058aef0fb851359c1 - upgrade is the primary action. The patch introduces a securityHeaders chi middleware that sets Content-Security-Policy (with frame-ancestors 'none', base-uri 'none', form-action 'self'), X-Content-Type-Options: nosniff, Referrer-Policy: same-origin, X-Frame-Options: DENY, and conditionally Strict-Transport-Security on TLS requests; note the shipped CSP retains 'unsafe-inline' for script-src and style-src for template compatibility, so XSS hardening is partial until inline blocks and event handlers are extracted. If you cannot upgrade immediately, front nebula-mesh with a reverse proxy (nginx, Caddy, Traefik) that injects the same headers - trade-off: HSTS injected at the proxy will persist in browsers and complicates rollback, and a too-strict CSP can break the existing inline CSRF wiring in layout.html, so test against the admin UI before enforcing.
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-w7w5-5gcp-38rw