CVE-2026-38651
Published: 28 April 2026
Summary
CVE-2026-38651 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Netmaker Netmaker. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-38651 is an authentication bypass vulnerability affecting Netmaker versions prior to 1.5.0. The issue resides in the VerifyHostToken function within logic/jwts.go, which fails to properly validate the JWT signature during host token verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-04-28.
An unauthenticated attacker with network access can exploit this vulnerability by forging a JWT token signed with any arbitrary key. By presenting the forged token, the attacker can impersonate any host within the Netmaker network, thereby gaining unauthorized access to sensitive information. The impact includes high confidentiality loss and low integrity disruption, with no availability effects.
Mitigation involves upgrading to Netmaker version 1.5.0 or later, where the fix is implemented as detailed in the patch commit at https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b. Additional guidance is available in advisories and blog posts from Zyenra at https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass and https://www.zyenra.com/blog/netmaker-jwt-verification-bypass.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26062
Vulnerability details
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to…
more
impersonate any host in the network, gaining access to sensitive information
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing Netmaker application allowing remote unauthenticated attackers to forge JWT tokens and impersonate hosts for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification and authentication of devices/hosts prior to network access, directly preventing impersonation via forged host JWT tokens.
Mandates integrity verification for software, firmware, and information, including cryptographic signature checks on JWT host tokens to detect forgery.
Ensures secure management of authenticators like JWTs, including protection against alteration and compromise during verification.