cbcvebase.

Github.Com Gravitl Netmaker vulnerabilities

11 known vulnerabilities affecting github.com/gravitl_netmaker.

Total CVEs
11
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH9MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2023-32077P3HIGHPoC≥ 0, < 0.17.1≥ 0.18.0, < 0.18.62023-08-25
CVE-2023-32077 [HIGH] CWE-321 Netmaker has Hardcoded DNS Secret Key Netmaker has Hardcoded DNS Secret Key ### Impact Hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. ### Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade
ghsaosv
CVE-2022-23650P3HIGH≥ 0, < 0.8.5≥ 0.9.0, < 0.9.42022-02-22
CVE-2022-23650 [HIGH] CWE-321 Use of Hard-coded Cryptographic Key in Netmaker Use of Hard-coded Cryptographic Key in Netmaker ### Impact There is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server, if you know the address and username of the admin. This effects the server (netmaker) component, and not clients. ### Patches This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. If you are running these versions, the fix is to p
ghsaosv
CVE-2026-38651P3CRITICAL≥ 0, < 1.5.02026-04-28
CVE-2026-38651 [CRITICAL] CWE-347 Netmaker does not verify JWT signatures for host tokens Netmaker does not verify JWT signatures for host tokens Netmaker by Gravitl is an open-source WireGuard-based networking platform for creating and managing virtual overlay networks. The `VerifyHostToken` function in `logic/jwts.go` does not validate the JWT signature when verifying host tokens. After calling `jwt.ParseWithClaims`, the function only checks whether the returned token object is non-nil. It do
ghsa
CVE-2026-29194P3HIGH≥ 0, < 1.5.02026-03-09
CVE-2026-29194 [HIGH] CWE-863 Netmaker has Insufficient Authorization in Host Token Verification Netmaker has Insufficient Authorization in Host Token Verification The Authorise middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorisation checks without verifying that the host is authorised to access the specific requested resource. Any entity possessing knowledge of object ide
ghsaosv
CVE-2023-32079P3HIGH≥ 0, < 0.17.1≥ 0.18.0, < 0.18.62023-08-25
CVE-2023-32079 [HIGH] CWE-915 Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User ### Impact A Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user. ### Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the pat
ghsaosv
CVE-2022-36110P3HIGH≥ 0, < 0.15.12022-09-15
CVE-2022-36110 [HIGH] CWE-1220 Netmaker vulnerable to Insufficient Granularity of Access Control Netmaker vulnerable to Insufficient Granularity of Access Control ### Impact Improper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API. In addition, differing response codes based on function calls allowed
ghsaosv
CVE-2022-0664P3HIGH≥ 0, < 0.8.5≥ 0.9.0, < 0.9.42022-02-19
CVE-2022-0664 [HIGH] CWE-321 Use of Hard-coded Cryptographic Key in Netmaker Use of Hard-coded Cryptographic Key in Netmaker Netmaker prior to versions 0.8.5, 0.9.4, 0.10.0, and 0.10.1 uses a hard-coded cryptographic key.
ghsaosv
CVE-2023-32078P3HIGH≥ 0, < 0.17.1≥ 0.18.0, < 0.18.62023-08-25
CVE-2023-32078 [HIGH] CWE-639 Netmaker IDOR Allows User to Update Other User's Password Netmaker IDOR Allows User to Update Other User's Password ### Impact An IDOR vulnerability was found in the user update function. By specifying another user's username it is possible to update the other user's password. ### Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch
ghsaosv
CVE-2026-29195P3MEDIUM≥ 0, < 1.5.02026-03-09
CVE-2026-29195 [MEDIUM] CWE-863 Netmaker has Privilege Escalation from Admin to Super-Admin via User Update Netmaker has Privilege Escalation from Admin to Super-Admin via User Update The user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the super-admin role. >
ghsaosv
CVE-2026-29771P3HIGH≥ 0, < 1.2.02026-03-04
CVE-2026-29771 [HIGH] CWE-404 Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint The /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals.
ghsaosv
CVE-2026-29196P4HIGH≥ 0, < 1.5.02026-03-09
CVE-2026-29196 [HIGH] CWE-863 Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys A user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including pri
ghsaosv
Github.Com Gravitl Netmaker vulnerabilities | cvebase