PT-2026-23870 · Wireguard+1 · Wireguard+1

Artem Danilov

Published

2025-08-08

Updated

2026-03-25

CVE-2026-29195

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Netmaker versions prior to 1.5.0

Description Netmaker, which utilizes WireGuard, has an issue where the user update handler does not properly validate role assignments. Specifically, an administrator-role user can assign the super-admin role to another user via the PUT /api/users/{username} API endpoint. The system prevents an administrator from assigning the administrator role, but lacks a similar check for the super-admin role. The vulnerable parameter is username.

Recommendations Update to version 1.5.0 or later.

Exploit

Fix

LPE

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BDU:2026-03335

CVE-2026-29195

GHSA-CH3W-9456-38V3

GO-2026-4654

SUSE-SU-2026:1042-1

Affected Products

Netmaker

Wireguard

PT-2026-23870 · Wireguard+1 · Wireguard+1

CVE-2026-29195

Weakness Enumeration

Related Identifiers

Affected Products

References · 141