PT-2026-47622 · Go · Github.Com/Juev/Nebula-Mesh

Published

2026-06-08

·

Updated

2026-06-08

·

CVE-2026-47725

CVSS v4.0

7.0

High

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Every /ui/* POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect:
  • top-level form-submit navigations from third-party pages (some browsers still send Lax cookies on top-level POSTs)
  • same-registrable-domain attackers (sibling-subdomain XSS, subdomain takeover)
  • the GET /ui/logout route, which a third-party <img src=".../ui/logout"> can force-trigger
The admin UI signs CA certificates, mints API keys, rotates / retires / deletes CAs, disables operators, and changes server settings. CSRF here is a real privilege escalation, not just annoyance.

Affected

All released versions up to v0.3.2.

Suggested fix

Double-submit cookie: a 32-byte crypto/rand token in a non-HttpOnly csrf cookie, echoed in either X-CSRF-Token (htmx) or a csrf form field (HTML forms). Compared in constant time. Rotated on every privilege transition (Login, OIDC StartAuthenticatedSession, CompleteTwoFactor, Logout) so pre-auth fixation cannot survive promotion. Rejections audit-logged as ui.csrf.rejected with reason; response body stays opaque.
/ui/logout becomes POST so it is no longer reachable via <img> tags.
Fix coordinates with the Secure-cookie advisory disclosed concurrently — the csrf cookie inherits the same Secure-attribute derivation.

Reproducer

With an authenticated operator session in browser tab A, open the following minimal HTML in any other tab:
<form action="https://nebula.example.com/ui/cas/{ca-id}/delete" method="POST">
 <button>Click for free puppy</button>
</form>
Click. The CA is deleted — the server processes the POST because the session cookie is automatically attached and there is no other check. The same trick works for force-rotate, retire, mint API keys, disable operators, etc.
Alternative force-logout: <img src="https://nebula.example.com/ui/logout"> placed on an attacker's page logs out any visiting authenticated operator. No interaction required.

Notes

  • Multipart and JSON endpoints don't exist in the current UI surface. Future additions must rely on the header path because r.PostFormValue only reads application/x-www-form-urlencoded bodies. The middleware's package comment documents this.
  • The patch assumes nebula-mgmt is the sole authority on its registrable domain. A compromised sibling subdomain can still set parent-domain cookies and forge matches; SameSite=Lax does not prevent that. Documented in the patch.

Fix

Improper Privilege Management

CSRF

Weakness Enumeration

CWE-269CWE-352

Related Identifiers

CVE-2026-47725
GHSA-273Q-QGH5-WRJ6

Affected Products

Github.Com/Juev/Nebula-Mesh