Skip to main content

nebula-mesh CVE-2026-47723

HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-08 https://github.com/juev/nebula-mesh GHSA-w7w5-5gcp-38rw
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 23:35 vuln.today
Analysis Generated
Jun 08, 2026 - 23:35 vuln.today

DescriptionCVE.org

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase.

Impact

The admin UI signs CA certificates, mints API keys (returned inline once per page), displays TOTP QR codes, and exposes operator-management forms. Missing X-Frame-Options: DENY / frame-ancestors 'none' is a real clickjacking lever against an admin browsing /ui/operators/* or /ui/cas/*. Missing X-Content-Type-Options: nosniff allows MIME confusion on any user-supplied content surface. Missing HSTS on TLS deployments leaves a downgrade window.

Affected

All released versions up to v0.3.0.

Suggested fix

A single response-header middleware mounted at the chi router root in both /ui/* and /api/* paths:

go
func securityHeadersMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        h := rw.Header()
        h.Set("Content-Security-Policy",
            "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'")
        h.Set("X-Content-Type-Options", "nosniff")
        h.Set("Referrer-Policy", "same-origin")
        h.Set("X-Frame-Options", "DENY")  // belt-and-braces; CSP frame-ancestors is the modern path
        if r.TLS != nil {
            h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
        }
        next.ServeHTTP(rw, r)
    })
}

The inline <script> in layout.html for CSRF wiring (added in the CSRF advisory) will need either a nonce, a hash in CSP, or external-file extraction. Easiest path: a nonce per request (crypto/rand, base64) injected into both the CSP header and the script's nonce="" attribute.

AnalysisAI

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

Technical ContextAI

nebula-mesh is a Go application built on the chi router, where response handlers in internal/web/ and internal/api/ never emit standard browser hardening headers - Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, and Referrer-Policy are entirely absent from the codebase. The root cause maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), the canonical class for clickjacking exposure. Because chi middleware was never wired with a security-header layer, every response path - including high-sensitivity admin endpoints under /ui/operators/* and /ui/cas/* - relies on browser defaults, leaving the application embeddable in attacker-controlled frames and vulnerable to content-type sniffing on any user-influenced payload. CPE pkg:go/github.com_juev_nebula-mesh identifies the affected Go module.

RemediationAI

Vendor-released patch: nebula-mesh v0.3.1, available at https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.1 with the fix commit at https://github.com/forgekeep/nebula-mesh/commit/b45fda5476c41ffcff1ca23058aef0fb851359c1 - upgrade is the primary action. The patch introduces a securityHeaders chi middleware that sets Content-Security-Policy (with frame-ancestors 'none', base-uri 'none', form-action 'self'), X-Content-Type-Options: nosniff, Referrer-Policy: same-origin, X-Frame-Options: DENY, and conditionally Strict-Transport-Security on TLS requests; note the shipped CSP retains 'unsafe-inline' for script-src and style-src for template compatibility, so XSS hardening is partial until inline blocks and event handlers are extracted. If you cannot upgrade immediately, front nebula-mesh with a reverse proxy (nginx, Caddy, Traefik) that injects the same headers - trade-off: HSTS injected at the proxy will persist in browsers and complicates rollback, and a too-strict CSP can break the existing inline CSRF wiring in layout.html, so test against the admin UI before enforcing.

Share

CVE-2026-47723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy