PT-2026-60105 · Unknown · Nebula-Mesh

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-55512

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Nebula-mesh versions 0.2.0 through 0.3.8
Description When OIDC is enabled, the application is susceptible to a denial of service via memory exhaustion. An unauthenticated remote client can repeatedly send requests to the GET /ui/oidc/login endpoint, which is not protected by the authentication rate-limiting middleware. Each request triggers the HandleLogin() function to generate a random OIDC state value and store it in an in-memory map for 10 minutes. Because there is no maximum cap on the number of live states or rate limiting on this specific path, a remote attacker can cause significant application-layer memory growth, leading to availability degradation.
Recommendations Apply the auth rate limiter to the GET /ui/oidc/login endpoint. Implement a maximum limit for the number of live OIDC states allowed per client or globally, ensuring the system fails closed when the cap is reached.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55512
GHSA-M3CX-MWPG-32JG

Affected Products

Nebula-Mesh