Netmaker, Privilege Escalation, CVE-2026-29195 (Moderate)

Listen to this Post

The vulnerability, identified as CVE-2026-29195, exists in the user update handler of Netmaker, a tool for creating virtual networks with WireGuard . The flaw specifically resides in the `PUT /api/users/{username}` endpoint. When an authenticated user with the admin role sends a request to update another user’s account, the backend code fails to properly validate the role being assigned . While the logic correctly prevents an admin from granting another user the admin role, it omits a critical check for the super-admin role . This oversight allows a malicious admin to modify a standard user’s profile, adding the super-admin role to their privileges . Consequently, the admin can escalate their own privileges or create a new super-admin account, gaining full, unrestricted control over the entire Netmaker platform. This effectively bypasses the intended role-based access control (RBAC) hierarchy. The issue is present in all versions before 1.5.0 and has been classified as an “Incorrect Authorization” weakness (CWE-863) . The attack vector is over the network, requires low complexity, and needs high privileges (admin account), but impacts integrity at a high level . The fix was implemented and released in version 1.5.0 .
Platform: Netmaker
Version: <1.5.0
Vulnerability: Privilege Escalation
Severity: Moderate
Date: March 7, 2026

Prediction: Patch already released

What Undercode Say:

Analysis:

The core issue stems from missing server-side validation on role assignments, specifically for the super-admin role. An attacker with admin credentials can directly manipulate the API request.

Exploit:

An admin can exploit this by sending a crafted PUT request to update a user. For example, to grant super-admin rights to the user ‘john’, the following command could be used (note: authentication token required):

curl -X PUT https://[netmaker-server]/api/users/john \
-H "Authorization: Bearer [admin-jwt-token]" \
-H "Content-Type: application/json" \
-d '{"username": "john", "roles": ["super-admin"]}'

Protection from this CVE:

The primary fix is to upgrade to the patched version.

Upgrade Netmaker to the latest stable version
Method depends on installation (Docker, binary, etc.)
Example for Docker:
docker pull gravitl/netmaker:v1.5.0
docker-compose up -d

Impact:

Successful exploitation results in a complete compromise of the Netmaker platform, allowing the attacker to control all networks, nodes, and users.
– Integrity: High (Super-admin can modify all system settings)
– Confidentiality: Potentially High (Access to all network traffic and configurations)

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top