PT-2026-60113 · Unknown · Nebula-Mesh

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-61699

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions nebula-mesh (affected versions not specified)
Description Certificate revocation is not enforced within the mesh because the agent fails to process the blocklist provided by the server. While the server correctly computes and ships the per-CA blocklist via the GET /api/v1/agent/updates endpoint, the agent decodes the blocklist field and subsequently discards it without applying it to the configuration. Additionally, the configuration generator lacks the necessary fields to emit the pki.blocklist in the config.yml file.
As a result, a host that has been blocked, offboarded, or compromised remains capable of establishing successful handshakes with its peers for the remainder of its certificate lifetime, which can be up to 30 days for agent hosts and 365 days for mobile hosts. An attacker possessing the host.key and host.crt can maintain full overlay reachability to the mesh even after an operator has revoked the host in the UI or API.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61699
GHSA-CM26-5974-52H8

Affected Products

Nebula-Mesh