Listen to this Post
This vulnerability, identified as CVE-2026-29196, is an Incorrect Authorization issue in Netmaker, a platform for creating virtual networks with WireGuard. A user assigned the non-administrative “platform-user” role can exploit this flaw by making direct API calls. Specifically, by sending a GET request to the endpoints `/api/extclients/{network}` or /api/nodes/{network}, the server returns full database records for all configurations within that network. While the Netmaker user interface (UI) filters this data to respect user privileges, the underlying API endpoints lack the necessary authorization checks. This oversight results in the exposure of sensitive data, most critically the private keys for all WireGuard configurations in the network, to any authenticated user with network access, regardless of their ownership or need-to-know .
Platform: Netmaker
Version: Prior to 1.5.0
Vulnerability: Incorrect Authorization
Severity: High
date: Mar 7, 2026
Prediction: Mar 9, 2026
What Undercode Say:
Analytics:
The core issue is a missing authorization check on the server-side for specific API handlers. The functions responsible for fetching extclient and node details do not verify if the requesting user has the right to view the private keys contained within those records.
Exploit:
An attacker with a valid “platform-user” account and network access could use a tool like `curl` to exfiltrate all WireGuard private keys.
curl -X GET https://<netmaker-server>/api/extclients/<target-network> \ -H "Authorization: Bearer <valid-user-jwt-token>"
curl -X GET https://<netmaker-server>/api/nodes/<target-network> \ -H "Authorization: Bearer <valid-user-jwt-token>"
Protection from this CVE:
The primary protection is to upgrade to Netmaker version 1.5.0 or later, where the patch is applied . A temporary workaround could involve network segmentation to restrict API access or strict monitoring of API logs for unusual access to these specific endpoints by non-admin users. Ensure proper authorization logic is enforced on all API endpoints.
Impact:
Successful exploitation allows a standard user to retrieve the private keys of every WireGuard peer on a network. This compromises the entire network’s confidentiality, as the attacker can then decrypt traffic, impersonate any node, or potentially gain further unauthorized access to connected systems.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

