PT-2026-47621 · Unknown · Nebula-Mesh

Published

2026-06-08

·

Updated

2026-06-09

·

CVE-2026-47724

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Nebula-Mesh versions prior to 0.3.4
Description An authorization gap in the /api/v1/* route surface allows non-admin operators to obtain broad cross-tenant access. The API trusts the bearer token for authorization without enforcing ownership checks on several endpoints, leading to Broken Object Level Authorization (BOLA). This allows any non-admin operator to escalate privileges to administrator or perform unauthorized actions across different tenants.
Technical details include:
  • API Endpoints:
    • /api/v1/operators/<admin-id>/api-keys can be used to mint admin API keys.
    • /api/v1/hosts/<victim-host-id>/reenroll allows cross-operator host takeover.
    • /api/v1/hosts*, /api/v1/networks*, /api/v1/networks/{id}/firewall, and /api/v1/hosts/{id}/mobile-bundle allow unauthorized create, list, get, update, and delete operations.
    • Operator management endpoints including handleListOperators(), handleDisableOperator(), handleEnableOperator(), handleRevokeOperatorAPIKey(), and handleListOperatorAPIKeys() lack admin gates.
  • Vulnerable Parameters: The admin-id and victim-host-id parameters in the API paths are not validated against the requester's ownership.
Recommendations Update to version 0.3.4. As a temporary mitigation, restrict access to the /api/v1/hosts*, /api/v1/networks*, /api/v1/operators*, and /api/v1/networks/{id}/firewall endpoints to trusted administrative networks only.

Fix

Missing Authorization

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-47724
GHSA-598G-H2VC-H5VG

Affected Products

Nebula-Mesh