Skip to main content

Wg Easy

1 CVEs product

Monthly

CVE-2026-63089 CRITICAL PATCH Act Now

Peer credential disclosure in WireGuard Easy (wg-easy) through 15.3.0 lets unauthenticated network attackers recover a client's WireGuard PrivateKey and PresharedKey by brute-forcing the one-time configuration link. Because the OTL token is derived from CRC32 over a random value bounded to 0-999, an attacker faces at most 1000 candidate tokens per client ID against the unauthenticated /cnf/:oneTimeLink route, which had no rate limiting and did not enforce token expiration. There is no public exploit identified at time of analysis, but the small keyspace makes exploitation trivial once a valid link is active; the flaw was reported by VulnCheck and is fixed upstream.

Information Disclosure Wg Easy
NVD GitHub
CVSS 4.0
9.0
CVSS 9.0
CRITICAL PATCH Act Now

Peer credential disclosure in WireGuard Easy (wg-easy) through 15.3.0 lets unauthenticated network attackers recover a client's WireGuard PrivateKey and PresharedKey by brute-forcing the one-time configuration link. Because the OTL token is derived from CRC32 over a random value bounded to 0-999, an attacker faces at most 1000 candidate tokens per client ID against the unauthenticated /cnf/:oneTimeLink route, which had no rate limiting and did not enforce token expiration. There is no public exploit identified at time of analysis, but the small keyspace makes exploitation trivial once a valid link is active; the flaw was reported by VulnCheck and is fixed upstream.

Information Disclosure Wg Easy
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy