CVE-2026-38651
Published: 28 April 2026
Summary
CVE-2026-38651 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of devices/hosts prior to network access, directly preventing impersonation via forged host JWT tokens.
Mandates integrity verification for software, firmware, and information, including cryptographic signature checks on JWT host tokens to detect forgery.
Ensures secure management of authenticators like JWTs, including protection against alteration and compromise during verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing Netmaker application allowing remote unauthenticated attackers to forge JWT tokens and impersonate hosts for unauthorized access.
NVD Description
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to…
more
impersonate any host in the network, gaining access to sensitive information
Deeper analysisAI
CVE-2026-38651 is an authentication bypass vulnerability affecting Netmaker versions prior to 1.5.0. The issue resides in the VerifyHostToken function within logic/jwts.go, which fails to properly validate the JWT signature during host token verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-04-28.
An unauthenticated attacker with network access can exploit this vulnerability by forging a JWT token signed with any arbitrary key. By presenting the forged token, the attacker can impersonate any host within the Netmaker network, thereby gaining unauthorized access to sensitive information. The impact includes high confidentiality loss and low integrity disruption, with no availability effects.
Mitigation involves upgrading to Netmaker version 1.5.0 or later, where the fix is implemented as detailed in the patch commit at https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b. Additional guidance is available in advisories and blog posts from Zyenra at https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass and https://www.zyenra.com/blog/netmaker-jwt-verification-bypass.
Details
- CWE(s)