Listen to this Post
CVE-2026-29771 is a high-severity vulnerability affecting the Netmaker server, a platform for creating virtual overlay networks with WireGuard. The issue resides in the `/api/server/shutdown` API endpoint. Prior to version 1.2.0, this endpoint lacked any form of access control, meaning any user, regardless of their privileges, could send a request to it. Upon receiving a valid request, the server would terminate its own process by sending a Unix `syscall.SIGINT` (interrupt signal). This action causes the main Netmaker service to stop. However, the Netmaker server is typically configured to restart automatically, doing so in approximately 3 seconds. This creates a cyclic denial of service (DoS) condition. An attacker can repeatedly call this unauthenticated endpoint, causing the server to enter an endless loop of shutdown and restart, making the service unavailable for legitimate administrative tasks and network operations. The vulnerability is rooted in the improper release of critical system resources, classified under CWE-404. The issue was identified and patched by the maintainers in Netmaker version 1.2.0, which removes or secures the vulnerable endpoint .
Platform: Netmaker
Version: prior to 1.2.0
Vulnerability : Denial of Service
Severity: High (CVSS 8.7)
date: March 7, 2026
Prediction: March 3, 2026
What Undercode Say:
Analytics
The vulnerability is straightforward to exploit as it requires no authentication and no special user privileges. The core issue is a missing authorization check on a highly destructive administrative function (server shutdown). By sending a single HTTP request to /api/server/shutdown, an attacker can immediately halt the server process. The impact is high availability loss, as the server becomes unavailable for all users and connected nodes for approximately 3-second intervals, effectively creating a persistent denial of service with minimal effort from the attacker. The CVSS 4.0 vector string for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, which confirms its network attack vector, low complexity, no privileges required, and high availability impact .
Commands and Codes
To check your Netmaker server version:
docker ps docker exec <netmaker_container_id> ./netmaker --version
Or, if installed directly:
netmaker --version
To test if a server is vulnerable (use only on your own systems for verification):
curl -X POST http://<vulnerable-server-ip>:<port>/api/server/shutdown
Example using `curl` to exploit the vulnerability repeatedly:
This command will shut down the server. Use with caution. curl -X POST http://192.168.1.100:8081/api/server/shutdown
To view server logs and observe the shutdown signal:
docker logs <netmaker_container_id> --follow
Upgrade to the patched version (v1.2.0 or later) using Docker:
docker pull gravitl/netmaker:v1.2.0 docker-compose up -d
For a non-Docker installation, you would typically use the package manager or build from the source tag `v1.2.0` .
How Exploit
- Reconnaissance: The attacker identifies a target running a Netmaker server version prior to 1.2.0. They can do this by scanning for the default Netmaker ports (e.g., 8081, 443) or by probing the API.
- Craft Request: The attacker crafts a simple HTTP POST request to the vulnerable endpoint.
- Execution: The attacker sends the request. Since no authentication is required, the server accepts it.
- Server Termination: The Netmaker server process receives the `syscall.SIGINT` and shuts down.
- Denial of Service: The service becomes unavailable. If the server is configured to restart (as is common), it will come back online after about 3 seconds. The attacker can then repeat steps 2-4, creating a cycle of continuous downtime and effectively rendering the service unusable.
Protection from this CVE
The primary and most effective protection is to update Netmaker to version 1.2.0 or later. The patch disables or secures the vulnerable `/api/server/shutdown` endpoint .
For systems that cannot be immediately updated, a temporary workaround is to implement a firewall or reverse proxy rule to block access to the specific `/api/server/shutdown` path, especially from untrusted networks. However, this is not a foolproof solution as internal users or compromised nodes could still exploit it.
Impact
A successful exploitation leads to a High availability impact. The core Netmaker server, which manages the entire overlay network, becomes inaccessible. This means:
Administrators cannot access the dashboard or API to manage nodes, users, or networks.
New nodes cannot enroll or join the network.
Existing node configurations may not be updated.
The cyclic nature of the attack (shutdown/restart) ensures the service remains in a constant state of flux, preventing stable operation. This vulnerability allows any unauthenticated user to cause a persistent and trivial denial of service, severely disrupting network operations .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

