PT-2026-60113 · Unknown · Nebula-Mesh
Published
2026-07-14
·
Updated
2026-07-15
·
CVE-2026-61699
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
nebula-mesh (affected versions not specified)
Description
Certificate revocation is not enforced within the mesh because the agent fails to process the blocklist provided by the server. While the server correctly computes and ships the per-CA blocklist via the
GET /api/v1/agent/updates endpoint, the agent decodes the blocklist field and subsequently discards it without applying it to the configuration. Additionally, the configuration generator lacks the necessary fields to emit the pki.blocklist in the config.yml file.As a result, a host that has been blocked, offboarded, or compromised remains capable of establishing successful handshakes with its peers for the remainder of its certificate lifetime, which can be up to 30 days for agent hosts and 365 days for mobile hosts. An attacker possessing the
host.key and host.crt can maintain full overlay reachability to the mesh even after an operator has revoked the host in the UI or API.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nebula-Mesh