CVE-2026-53603
HIGHLifecycle Timeline
3DescriptionCVE.org
Impact
Operator session tokens are stored in plaintext in the operator_sessions table (the token column is the PRIMARY KEY). The session token is a 32-byte random hex value sent directly in a cookie and valid for 24 hours.
internal/models/operator.go:61-OperatorSession.Tokenholds the plaintext token.internal/store/sqlite_operators.go:590-CreateOperatorSessioninsertssess.Tokenverbatim.internal/store/sqlite_operators.go:603,642,681,698- lookups/updates/deletes useWHERE token = ?against the plaintext value.
Anyone who can read the database (backup, snapshot, file copy, or SQL-level disclosure) obtains every active session token and can hijack operator sessions directly, with no further authentication.
This is functionally identical to the plaintext enrollment-token issue fixed in GHSA-ghmh-jhmj-wcmf. API keys (OperatorAPIKey.KeyHash) and enrollment tokens (EnrollmentToken.TokenHash) already store only a SHA256 hash; session tokens were missed.
Patches
Store only a SHA256 hash of the session token, mirroring API keys and enrollment tokens:
- Add a
HashSessionTokenhelper (alongside the existing token-hash helpers). - Migration to add a
token_hashcolumn. - Update
CreateOperatorSession,PromoteOperatorSession, andGetOperatorBySessionto write/look up by hash. - Drop the plaintext
tokencolumn in a follow-up migration.
Sessions are ephemeral (24h TTL), so all active sessions can be invalidated on deployment - no backward compatibility needed.
Workarounds
Restrict and encrypt database backups; rotate the operator database. These mitigate exposure but do not fix the underlying storage of plaintext tokens.
Resources
internal/models/operator.go:58-66internal/store/sqlite_operators.go:577-698- Migration
005_operators.up.sql:27 - Prior related advisory: GHSA-ghmh-jhmj-wcmf
AnalysisAI
Cleartext storage of operator session tokens in forgekeep/nebula-mesh (Go) lets anyone with read access to the SQLite operator database hijack every active operator session. The 32-byte hex session token is written verbatim as the PRIMARY KEY of the operator_sessions table and is the exact value carried in the operator's 24-hour session cookie, so a leaked backup, snapshot, file copy, or SQL-level disclosure yields directly-usable credentials with no further authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, immediately upgrade forgekeep/nebula-mesh to version 0.3.8 and audit database access logs and backup logs for any unauthorized file access, SQL-level database exports, or snapshots created before patch deployment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q4vm-pq3q-8wgq