nebula-mgmt CVE-2026-53602
MEDIUMSeverity by source
Prior enrollment credentials are the minimum privilege (PR:L); auto-renewal path requires no user interaction; impact limited to low-level overlay network access bypass with no availability dimension.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1DescriptionCVE.org
Summary
Two related authorization gaps let a host that should no longer be trusted obtain a fresh, valid Nebula certificate, because nebula-mgmt does not re-evaluate revocation/authorization state at certificate *issuance* time - only at poll time.
1. Blocklist not enforced at sign / re-enroll time
internal/api/enroll.go:128 calls caMgr.Sign(...) without consulting the blocklist. The blocklist is only checked in the poll path (internal/api/updates.go:57, fingerprintInBlocklist). The blocklist is keyed by certificate *fingerprint* (internal/store/sqlite.go), so a re-enrollment produces a new fingerprint that is not in the blocklist.
mintEnrollmentTokenForHost (internal/api/hosts.go:491) authorizes the caller via canAccessHost but does not check the host status. There is no guard preventing a blocked host from transitioning back to enrolled (internal/store/sqlite.go, enrollHostInTx updates status unconditionally).
Impact: A host that an operator has blocked can be silently un-blocked by issuing a new enrollment token and re-enrolling - it receives a fresh certificate (new fingerprint) that passes all subsequent poll-time blocklist checks. Revocation is therefore not durable. Requires an operator action (minting a re-enroll token), so this is an integrity/operational-revocation failure rather than an unauthenticated bypass.
2. Renewal does not re-validate operator / CA status
Auto-renewal at poll time (internal/api/updates.go:285-319, signHostCert) reads host.Name, host.Groups, host.NebulaIPs from the DB and re-signs without checking whether the owning operator is still active or the CA still valid. DisableOperator (internal/store/sqlite_operators.go) revokes sessions and API keys but does not retire the operator's CAs, and pki/signer.go checks only CA cert time-expiry, not operator/CA status.
Impact: A host enrolled under an operator who is later disabled continues to renew its certificate indefinitely. Offboarding an operator does not cut off the hosts they provisioned.
Affected versions
Latest tagged release (v0.3.6) and main.
Remediation
- Call a blocklist/status guard inside
handleEnrollandsignHostCertbeforecaMgr.Sign(...); refuse issuance for a host whose status isblockedor whose previous fingerprint is on the blocklist. Require an explicit unblock before re-enroll. - At renewal, re-resolve the owning operator/CA status and reject renewal if the operator is disabled or the CA retired (force re-enrollment instead).
Discovery
Found during an internal source + offensive security audit (tracking issue #178). Adversarially cross-verified against the code paths above.
AnalysisAI
Certificate revocation in nebula-mgmt (forgekeep/nebula-mesh ≤ v0.3.6) is non-durable due to two distinct authorization gaps at certificate issuance time. Blocked hosts bypass blocklist enforcement entirely by re-enrolling with a new token because enroll.go:128 calls caMgr.Sign() without consulting the blocklist - a fingerprint-keyed structure that treats any fresh certificate as unknown. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Issue 1 requires that an operator with permission to call `mintEnrollmentTokenForHost` (`internal/api/hosts.go:491`) mint a new enrollment token for the blocked host - the blocked host cannot self-issue this token, so exploitation depends on operator error, social engineering of a legitimate operator, or compromise of an operator account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or EPSS probability is available for this CVE, so risk is assessed entirely from the code-level description and structural analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | For Issue 2: a host provisioned by an operator who is later offboarded polls the renewal endpoint at its normal interval; `signHostCert` re-signs the certificate reading only time-expiry of the CA, not the disabled status of the owning operator, so the host receives a fresh valid certificate and retains uninterrupted access to the Nebula overlay. For Issue 1: a second operator, unaware that a host has been blocked, mints a re-enrollment token; the host re-enrolls, generating a new fingerprint absent from the blocklist, and is silently restored to `enrolled` status without any explicit unblock action or audit trail. |
| Remediation | No vendor-released patch is identified at time of analysis; the advisory at https://github.com/forgekeep/nebula-mesh/security/advisories/GHSA-339v-266x-79xr describes code-level fixes but references no tagged release containing them. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-339v-266x-79xr