PT-2026-60096 · Unknown · Nebula-Mesh

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-53603

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions nebula-mesh (affected versions not specified)
Description Operator session tokens are stored in plaintext within the token column of the operator sessions table. These tokens are 32-byte random hex values sent via cookies and remain valid for 24 hours. The issue occurs because the CreateOperatorSession function inserts the token verbatim, and subsequent lookups, updates, or deletes in internal/store/sqlite operators.go use the plaintext value. An attacker with read access to the database, such as through backups, snapshots, or SQL-level disclosure, can obtain active session tokens to hijack operator sessions without further authentication.
Recommendations Store only a SHA256 hash of the session token by implementing a HashSessionToken helper, adding a token hash column via migration, and updating the CreateOperatorSession, PromoteOperatorSession, and GetOperatorBySession functions to use the hash for writing and lookups. Restrict and encrypt database backups. Rotate the operator database.

Fix

Insufficiently Protected Credentials

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53603
GHSA-Q4VM-PQ3Q-8WGQ

Affected Products

Nebula-Mesh