Listen to this Post
How CVE-2026-55513 Works
The `nebula-mgmt` Web UI host-creation path ignores both the server-wide `enrollment_token_ttl` security setting and per-network `network_config.enrollment_token_ttl` overrides. Enrollment tokens are bearer credentials for the public `POST /api/v1/enroll` endpoint. The server configuration documents a security knob for their default lifetime and per-network overrides. The API server implements and consistently uses a resolver with precedence of per-network enrollment_token_ttl, then server default, then 24h fallback.
API host creation uses now.Add(s.tokenTTLFor(r.Context(), host.NetworkID)). However, the Web UI sibling path does not call the resolver and instead always sets a 24-hour expiry. `internal/web/handlers.go:879` sets ExpiresAt: now.Add(24 time.Hour). This creates inconsistent behavior between API and Web UI host creation. The issue is reachable by an authenticated Web UI operator who can create hosts. Admins can create hosts in any network; non-admin operators can create hosts in networks whose CA they own.
The configurable enrollment-token TTL feature was introduced by commit 6c344a6. `git tag –contains 6c344a6 –sort=version:refname` returns `v0.3.0` through v0.3.8. Pattern checks across all release tags showed the TTL config/API resolver and the Web UI 24-hour hardcode are present in every `v0.3.x` release from `v0.3.0` to v0.3.8. The current checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` (v0.3.8-1-gd92dd9a) remains affected.
A safe local PoC run from a clean checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` on 2026-06-12 uses only in-memory SQLite and httptest. The PoC creates an in-memory Web UI with newTestWeb(t), creates a network `audit-poc-net` with CIDR 10.77.0.0/24, and sets `network_config.enrollment_token_ttl` to 30m. It logs in as the seeded test admin and obtains a CSRF token from GET /ui/hosts/new. It submits `POST /ui/hosts` with network_id=audit-poc-net, name=audit-poc-host, nebula_ips=10.77.0.10, role=host, and kind=agent. It parses the one-shot enrollment token and compares the observed expiry to the configured 30-minute network override. The observed vulnerable output shows observed_token_ttl=24h0m0s configured_network_ttl=30m. The meaningful control is the API sibling which uses s.tokenTTLFor(...), and existing tests verify API-created/regenerated enrollment tokens honor server-default and per-network TTLs.
DailyCVE Form
Platform: `nebula-mgmt`
Version: `v0.3.0` – `v0.3.8`
Vulnerability: TTL Policy Bypass
Severity: Medium
Date: 2026-07-14
Prediction: 2026-07-28
What Undercode Say: Analytics
Check affected versions git tag --contains 6c344a6 --sort=version:refname Verify current commit git describe Output: v0.3.8-1-gd92dd9a Run the PoC test go test ./internal/web -run 'TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL' -count=1 -v
PoC code structure (`internal/web/security_audit_poc_test.go`):
func TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL(t testing.T) {
// Create in-memory Web UI with newTestWeb(t)
// Create network audit-poc-net with CIDR 10.77.0.0/24
// Set network_config.enrollment_token_ttl to 30m
// Login as seeded test admin
// Obtain CSRF token from GET /ui/hosts/new
// Submit POST /ui/hosts with network_id=audit-poc-net, name=audit-poc-host, nebula_ips=10.77.0.10, role=host, kind=agent
// Parse enrollment token from returned host-detail page
// Read token row with GetEnrollmentToken
// Compare observed expiry to configured 30-minute network override
}
Exploit
An authenticated Web UI operator can bypass a configured enrollment-token lifetime policy. The attacker obtains a token valid for approximately 24 hours even when the deployment or network is configured for a much shorter lifetime such as 30 minutes. Because enrollment tokens are bearer credentials for the public enrollment endpoint, longer-than-intended validity increases the window in which a copied, logged, shared, or otherwise exposed token can be used. The attacker can enroll the pending host and obtain its Nebula certificate/config.
Protection
Refactor the Web UI host-creation path to use the same TTL resolution as the API path. Move the resolver into a shared package/service used by both API and Web UI. Add a regression test under `internal/web` that sets network_config.enrollment_token_ttl = "30m", creates an agent host through POST /ui/hosts, and asserts the persisted enrollment token expires within the configured 30-minute window rather than 24 hours.
Impact
This vulnerability weakens confidentiality and integrity for deployments relying on short token lifetimes to reduce enrollment-token exposure. An attacker who reads the DB before a legitimate agent enrolls can consume the single-use token first, mint a cert against their own keypair, and take the agent’s intended Nebula identity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

