PT-2026-60096 · Unknown · Nebula-Mesh
Published
2026-07-14
·
Updated
2026-07-15
·
CVE-2026-53603
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
nebula-mesh (affected versions not specified)
Description
Operator session tokens are stored in plaintext within the
token column of the operator sessions table. These tokens are 32-byte random hex values sent via cookies and remain valid for 24 hours. The issue occurs because the CreateOperatorSession function inserts the token verbatim, and subsequent lookups, updates, or deletes in internal/store/sqlite operators.go use the plaintext value. An attacker with read access to the database, such as through backups, snapshots, or SQL-level disclosure, can obtain active session tokens to hijack operator sessions without further authentication.Recommendations
Store only a SHA256 hash of the session token by implementing a
HashSessionToken helper, adding a token hash column via migration, and updating the CreateOperatorSession, PromoteOperatorSession, and GetOperatorBySession functions to use the hash for writing and lookups.
Restrict and encrypt database backups.
Rotate the operator database.Fix
Insufficiently Protected Credentials
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nebula-Mesh