CVE-2026-29194

Name of the Vulnerable Software and Affected Versions Netmaker versions prior to 1.5.0

Description Netmaker, which utilizes WireGuard, has an issue where the Authorize middleware does not properly validate host JWT tokens. When host authentication is permitted (hostAllowed=true), a valid host token circumvents authorization checks without confirming the host's access rights to the requested resource. This allows entities with knowledge of object identifiers (node IDs, host IDs) to construct requests using a valid host token to access, modify, or delete resources belonging to other hosts. The following API endpoints are affected: node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. The vulnerable parameter is the host JWT token.

Recommendations Update to version 1.5.0 or later.