Listen to this Post
The vulnerability resides in Nebula Mesh’s webhook subscription handler, where non-admin operators (role user) can set `allow_private: true` on their own webhook subscriptions via `POST` or PATCH /api/v1/webhook-subscriptions. No admin privilege check is performed on this field during creation or update — only ownership is validated, and even that check is absent on creation. At delivery time, the dispatcher switches from a guarded HTTP client to an unguarded one when `allow_private` is true, bypassing the built-in SSRF guard that rejects private, loopback, and link-local addresses. This allows a low-privilege operator to force the server to make requests to internal addresses, effectively turning the server into an SSRF proxy.
The code paths in `internal/api/webhooks.go:67` and `:110` persist the `AllowPrivate` flag without any role check, while `internal/webhook/webhook.go:294-296` uses `d.unguarded` when the flag is set, skipping the validation normally enforced by config.ValidateWebhookURL. All other tenant-impacting toggles — such as network creation, settings patches, and CA management — are gated by isActiveAdmin, making this an exception introduced with managed webhook subscriptions (PR 258) and missed by two prior fixes for similar authorization gaps (GHSA-c6v2-3ffm-vcmc).
The proof of concept demonstrates the bypass using a real instance. A non-admin operator creates a webhook with `allow_private: true` pointing to `http://127.0.0.1:9999/internal-admin`; the API returns `201 Createdwith the flag persisted, while omitting the flag yields a `400 Bad Request` confirming the guard is active. Triggering a host lifecycle event (e.g., `unblock` orblock`) on a owned host causes the server to deliver the webhook to the internal listener, which receives the outbound POST requests in real time. The `last_status` and `last_error` fields in the webhook status endpoint also act as a reachability oracle, revealing whether internal addresses are accessible.
DailyCVE Form:
Platform: Nebula Mesh
Version: HEAD 2c3457c
Vulnerability: SSRF via allow_private
Severity: Medium
date: 2026-07-01
Prediction: 2026-07-15
What Undercode Say:
Analytics:
– `internal/api/webhooks.go:67` persists AllowPrivate unchecked.
– `internal/api/webhooks.go:110` same for updates.
– `internal/webhook/webhook.go:294-296` switches client.
– Guard `config.ValidateWebhookURL` skipped when true.
– Admin gate missing; only ownership enforced.
– `canAccessWebhookSub` not called on create.
– Prior fixes missed this class (GHSA-c6v2…).
– PR 258 introduced the exception.
– Low-privilege operators can exploit.
– Server becomes SSRF proxy for internal addresses.
– Reachability oracle via last_status/last_error.
– Cloud metadata services may be exposed.
– IMDSv2 tokens can block but not guaranteed.
Exploit:
Create webhook with allow_private=true
curl -X POST http://127.0.0.1:8181/api/v1/webhook-subscriptions \
-H "Authorization: Bearer $NON_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{"url":"http://127.0.0.1:9999/internal-admin","allow_private":true,"events":["host.enrolled"]}'
Trigger host lifecycle event
curl -X POST http://127.0.0.1:8181/api/v1/hosts/$HOST_ID/unblock \
-H "Authorization: Bearer $NON_ADMIN_KEY"
Check delivery status (reachability oracle)
curl -X GET http://127.0.0.1:8181/api/v1/webhook-subscriptions/$WEBHOOK_ID \
-H "Authorization: Bearer $NON_ADMIN_KEY"
Protection:
- Gate `AllowPrivate` on `isActiveAdmin` check.
- Validate URL even when allow_private is true.
- Remove unguarded client or enforce guard always.
- Apply same admin checks as other endpoints.
- Backport fixes from GHSA-c6v2-3ffm-vcmc.
- Monitor for unauthorized webhook creations.
Impact:
- Non-admin SSRF against internal/loopback.
- Internal network probing and blind POST.
- Potential cloud IAM credential exposure.
- Bypasses admin boundary enforced elsewhere.
- Affects all Nebula Mesh deployments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

