CVE-2026-38651
published 2026-04-28CVE-2026-38651: Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT…
PriorityP354high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.30%
21.4th percentile
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gravitl_netmaker | >= 0 < 1.5.0 | 1.5.0 |
| netmaker | netmaker | < 1.5.0 | 1.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Netmaker up to 1.4.x logic/jwts.go VerifyHostToken information disclosure (EUVD-2026-26062)
vuldb·2026-04-28·CVSS 8.2
CVE-2026-38651 [HIGH] Netmaker up to 1.4.x logic/jwts.go VerifyHostToken information disclosure (EUVD-2026-26062)
A vulnerability identified as problematic has been detected in Netmaker up to 1.4.x. Impacted is the function VerifyHostToken of the file logic/jwts.go. Performing a manipulation results in information disclosure.
This vulnerability is identified as CVE-2026-38651. The attack can only be performed from the local network. There is not any exploit available.
You should upgrade the affected component.
GHSA
Netmaker does not verify JWT signatures for host tokens
ghsa·2026-04-28
CVE-2026-38651 [CRITICAL] CWE-347 Netmaker does not verify JWT signatures for host tokens
Netmaker does not verify JWT signatures for host tokens
Netmaker by Gravitl is an open-source WireGuard-based networking platform for creating and managing virtual overlay networks. The `VerifyHostToken` function in `logic/jwts.go` does not validate the JWT signature when verifying host tokens. After calling `jwt.ParseWithClaims`, the function only checks whether the returned token object is non-nil. It does not check `token.Valid` or the returned error. An attacker can forge a JWT signed with any key, set the claims to any host ID, and pull that host's full configuration including bcrypt-hashed passwords, MQTT credentials, and WireGuard peer data. The issue was patched in v1.5.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79bhttps://www.zyenra.com/advisories/netmaker-jwt-verification-bypasshttps://www.zyenra.com/blog/netmaker-jwt-verification-bypasshttps://www.zyenra.com/advisories/netmaker-jwt-verification-bypass/https://www.zyenra.com/blog/netmaker-jwt-verification-bypass
2026-04-28
Published