CVE-2026-29194
Published: 07 March 2026
Summary
CVE-2026-29194 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Gravitl Netmaker. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations for resource access, addressing the middleware's failure to validate host tokens against specific resources like node info or host deletion.
Requires a tamper-proof reference monitor mechanism, such as the Authorize middleware, to properly mediate and enforce access control policies for all host token requests.
Implements least privilege to restrict host tokens to only necessary resources, limiting the impact of authorization bypasses on other hosts' data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing Netmaker API enables remote exploitation of the app (T1190) and allows low-priv host token to escalate to unauthorized resource access/modification/deletion (T1068).
NVD Description
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host…
more
is authorized to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been patched in version 1.5.0.
Deeper analysisAI
CVE-2026-29194 is a high-severity authorization vulnerability (CWE-863) in Netmaker, an open-source tool for creating networks using WireGuard. In versions prior to 1.5.0, the Authorize middleware improperly validates host JWT tokens. Specifically, when a route allows host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without confirming that the host is permitted to access the requested resource.
An attacker with low privileges (PR:L) and knowledge of object identifiers such as node IDs or host IDs can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting a request using an arbitrary valid host token, they can access, modify, or delete resources belonging to other hosts. Affected endpoints include node information retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. The vulnerability yields high impacts on confidentiality (C:H) and integrity (I:H) with no availability impact (A:N), resulting in a CVSS v3.1 base score of 8.1.
The issue has been addressed in Netmaker version 1.5.0. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (GHSA-hmqr-wjmj-376c) and the release notes for v1.5.0.
Details
- CWE(s)