Skip to main content

Nebula Mesh CVE-2026-49258

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 https://github.com/juev/nebula-mesh GHSA-c6v2-3ffm-vcmc
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable web UI (AV:N) with no ownership check (AC:L) needs only a low-priv operator account (PR:L) and no interaction; full cross-tenant read (C:H) plus host delete/cert-revoke (I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 21:51 vuln.today
Analysis Generated
Jun 26, 2026 - 21:51 vuln.today

DescriptionGitHub Advisory

Summary

The web UI (/ui/*) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created via self-registration or OIDC) can access resources belonging to other operators.

Impact

A non-admin operator can:

  • Block or delete any other operator's host. POST /ui/hosts/{id}/block and DELETE /ui/hosts/{id} act on the URL id with no ownership check, so a non-admin can block (revoking the host's certificate via the blocklist) or delete any host in the deployment - a cross-operator denial of service.
  • Read every operator's hosts and networks. The dashboard, /ui/hosts, the host detail page, /ui/networks (including the create-form error re-render), and the /ui/events stream all return data across all operators, exposing host names, Nebula IPs, public IPs, certificate fingerprints and expiry, and network names and CIDRs.

This is the same cross-operator class as GHSA-598g; that remediation covered the JSON API but not the web read/mutation surface. The host create/edit/mobile-bundle/network-create paths and all CA-management routes were already correctly scoped.

Affected handlers (internal/web): handleHostDetail, handleHostBlock, handleHostDelete, handleDashboard, handlePartialStats, handleHosts, handleNetworks, renderNetworksError, handleHostEvents.

Conditions

Exposure requires at least one non-admin operator to exist (self-registration enabled, OIDC, or an admin-created user). A single-admin deployment with no additional operators is not affected.

Fix

A complete candidate fix with regression tests is ready in a private repository shared with the maintainer (ak2k/nebula-mesh-ghsa-web, PR #1): scope these handlers to the session operator's owned CAs (admins keep the full view), mirroring the API's ownership checks.

AnalysisAI

Cross-operator authorization bypass in juev/nebula-mesh (<= 0.3.4) lets any authenticated non-admin operator read and mutate resources owned by other operators through the web UI (/ui/*), which-unlike the JSON API fixed in GHSA-598g-never applies per-operator CA scoping. An attacker with a low-privileged operator account can enumerate every operator's hosts and networks (names, Nebula/public IPs, certificate fingerprints, CIDRs) and can block (revoke certificates) or delete any host in the deployment, causing cross-operator denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain non-admin operator account (self-register/OIDC)
Delivery
Browse /ui/hosts and dashboard cross-tenant
Exploit
Enumerate other operators' host IDs and data
Execution
Send DELETE or POST block on target host ID
Impact
Revoke cert / delete host (cross-operator DoS)

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated non-admin operator account (PR:L) and the existence of at least one additional non-admin operator, which is only possible when self-registration is enabled, OIDC sign-up is configured, or an admin has created non-admin users; a single-admin deployment with no other operators is explicitly not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine multi-tenant priority where additional operators exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker self-registers (or is provisioned via OIDC) as an ordinary non-admin operator on a multi-tenant Nebula Mesh instance, then loads /ui/hosts and the dashboard to harvest every other operator's host names, Nebula and public IPs, certificate fingerprints, and network CIDRs. Using the leaked host ids, the attacker issues DELETE /ui/hosts/{id} or POST /ui/hosts/{id}/block against a rival operator's hosts, deleting them or revoking their certificates via the blocklist to knock those hosts off the mesh. …
Remediation No vendor-released patch identified at time of analysis: the advisory states a complete candidate fix with regression tests exists only in a private repository shared with the maintainer (ak2k/nebula-mesh-ghsa-web, PR #1) and no tagged release fixes versions <= 0.3.4, so monitor https://github.com/juev/nebula-mesh/security/advisories/GHSA-c6v2-3ffm-vcmc for an upstream release and upgrade as soon as a patched version ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Nebula Mesh deployments ≤v0.3.4 in your environment; immediately disable the web UI (/ui/*) at the network perimeter by blocking all requests to that path, or disable the UI component entirely in your Nebula configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy