Listen to this Post
The vulnerability, identified as CVE-2026-29195, exists in the user update handler of Netmaker, a tool for creating virtual networks with WireGuard . The flaw specifically resides in the `PUT /api/users/{username}` endpoint. When an authenticated user with the admin role sends a request to update another user’s account, the backend code fails to properly validate the role being assigned . While the logic correctly prevents an admin from granting another user the admin role, it omits a critical check for the super-admin role . This oversight allows a malicious admin to modify a standard user’s profile, adding the super-admin role to their privileges . Consequently, the admin can escalate their own privileges or create a new super-admin account, gaining full, unrestricted control over the entire Netmaker platform. This effectively bypasses the intended role-based access control (RBAC) hierarchy. The issue is present in all versions before 1.5.0 and has been classified as an “Incorrect Authorization” weakness (CWE-863) . The attack vector is over the network, requires low complexity, and needs high privileges (admin account), but impacts integrity at a high level . The fix was implemented and released in version 1.5.0 .
Platform: Netmaker
Version: <1.5.0
Vulnerability: Privilege Escalation
Severity: Moderate
Date: March 7, 2026
Prediction: Patch already released
What Undercode Say:
Analysis:
The core issue stems from missing server-side validation on role assignments, specifically for the super-admin role. An attacker with admin credentials can directly manipulate the API request.
Exploit:
An admin can exploit this by sending a crafted PUT request to update a user. For example, to grant super-admin rights to the user ‘john’, the following command could be used (note: authentication token required):
curl -X PUT https://[netmaker-server]/api/users/john \
-H "Authorization: Bearer [admin-jwt-token]" \
-H "Content-Type: application/json" \
-d '{"username": "john", "roles": ["super-admin"]}'
Protection from this CVE:
The primary fix is to upgrade to the patched version.
Upgrade Netmaker to the latest stable version Method depends on installation (Docker, binary, etc.) Example for Docker: docker pull gravitl/netmaker:v1.5.0 docker-compose up -d
Impact:
Successful exploitation results in a complete compromise of the Netmaker platform, allowing the attacker to control all networks, nodes, and users.
– Integrity: High (Super-admin can modify all system settings)
– Confidentiality: Potentially High (Access to all network traffic and configurations)
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

