Skip to main content

nebula-mgmt CVE-2026-53602

MEDIUM
Insufficient Session Expiration (CWE-613)
2026-07-09 https://github.com/forgekeep/nebula-mesh GHSA-339v-266x-79xr
Share

Severity by source

vuln.today AI
5.4 MEDIUM

Prior enrollment credentials are the minimum privilege (PR:L); auto-renewal path requires no user interaction; impact limited to low-level overlay network access bypass with no availability dimension.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 21:21 vuln.today

DescriptionCVE.org

Summary

Two related authorization gaps let a host that should no longer be trusted obtain a fresh, valid Nebula certificate, because nebula-mgmt does not re-evaluate revocation/authorization state at certificate *issuance* time - only at poll time.

1. Blocklist not enforced at sign / re-enroll time

internal/api/enroll.go:128 calls caMgr.Sign(...) without consulting the blocklist. The blocklist is only checked in the poll path (internal/api/updates.go:57, fingerprintInBlocklist). The blocklist is keyed by certificate *fingerprint* (internal/store/sqlite.go), so a re-enrollment produces a new fingerprint that is not in the blocklist.

mintEnrollmentTokenForHost (internal/api/hosts.go:491) authorizes the caller via canAccessHost but does not check the host status. There is no guard preventing a blocked host from transitioning back to enrolled (internal/store/sqlite.go, enrollHostInTx updates status unconditionally).

Impact: A host that an operator has blocked can be silently un-blocked by issuing a new enrollment token and re-enrolling - it receives a fresh certificate (new fingerprint) that passes all subsequent poll-time blocklist checks. Revocation is therefore not durable. Requires an operator action (minting a re-enroll token), so this is an integrity/operational-revocation failure rather than an unauthenticated bypass.

2. Renewal does not re-validate operator / CA status

Auto-renewal at poll time (internal/api/updates.go:285-319, signHostCert) reads host.Name, host.Groups, host.NebulaIPs from the DB and re-signs without checking whether the owning operator is still active or the CA still valid. DisableOperator (internal/store/sqlite_operators.go) revokes sessions and API keys but does not retire the operator's CAs, and pki/signer.go checks only CA cert time-expiry, not operator/CA status.

Impact: A host enrolled under an operator who is later disabled continues to renew its certificate indefinitely. Offboarding an operator does not cut off the hosts they provisioned.

Affected versions

Latest tagged release (v0.3.6) and main.

Remediation

  1. Call a blocklist/status guard inside handleEnroll and signHostCert before caMgr.Sign(...); refuse issuance for a host whose status is blocked or whose previous fingerprint is on the blocklist. Require an explicit unblock before re-enroll.
  2. At renewal, re-resolve the owning operator/CA status and reject renewal if the operator is disabled or the CA retired (force re-enrollment instead).

Discovery

Found during an internal source + offensive security audit (tracking issue #178). Adversarially cross-verified against the code paths above.

AnalysisAI

Certificate revocation in nebula-mgmt (forgekeep/nebula-mesh ≤ v0.3.6) is non-durable due to two distinct authorization gaps at certificate issuance time. Blocked hosts bypass blocklist enforcement entirely by re-enrolling with a new token because enroll.go:128 calls caMgr.Sign() without consulting the blocklist - a fingerprint-keyed structure that treats any fresh certificate as unknown. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operator account disabled in nebula-mgmt
Delivery
Affected host continues polling auto-renewal endpoint
Exploit
signHostCert re-signs without operator or CA status check
Execution
Fresh valid certificate issued to host
Impact
Host retains persistent unauthorized Nebula overlay network access

Vulnerability AssessmentAI

Exploitation Issue 1 requires that an operator with permission to call `mintEnrollmentTokenForHost` (`internal/api/hosts.go:491`) mint a new enrollment token for the blocked host - the blocked host cannot self-issue this token, so exploitation depends on operator error, social engineering of a legitimate operator, or compromise of an operator account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or EPSS probability is available for this CVE, so risk is assessed entirely from the code-level description and structural analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario For Issue 2: a host provisioned by an operator who is later offboarded polls the renewal endpoint at its normal interval; `signHostCert` re-signs the certificate reading only time-expiry of the CA, not the disabled status of the owning operator, so the host receives a fresh valid certificate and retains uninterrupted access to the Nebula overlay. For Issue 1: a second operator, unaware that a host has been blocked, mints a re-enrollment token; the host re-enrolls, generating a new fingerprint absent from the blocklist, and is silently restored to `enrolled` status without any explicit unblock action or audit trail.
Remediation No vendor-released patch is identified at time of analysis; the advisory at https://github.com/forgekeep/nebula-mesh/security/advisories/GHSA-339v-266x-79xr describes code-level fixes but references no tagged release containing them. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy