EXECUTIVE SUMMARY:
Five vulnerabilities have been observed in Nebula Mesh, a distributed networking and mesh management solution. The issues span unauthorized audit-log disclosure, missing CSRF protection on mutating UI endpoints, absent ownership checks on API routes, and lack of essential security headers. Together, they enable information leakage, privilege escalation, cross-tenant resource manipulation, and exposure to clickjacking or downgrade attacks. For organizations relying on Nebula Mesh to secure internal communications, these flaws threaten the confidentiality, integrity, and availability of critical infrastructure, potentially leading to unauthorized administrative access and operational disruption.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Five vulnerabilities have been observed in Nebula Mesh, a distributed networking and mesh management solution. The issues span unauthorized audit-log disclosure, missing CSRF protection on mutating UI endpoints, absent ownership checks on API routes, and lack of essential security headers. Together, they enable information leakage, privilege escalation, cross-tenant resource manipulation, and exposure to clickjacking or downgrade attacks. For organizations relying on Nebula Mesh to secure internal communications, these flaws threaten the confidentiality, integrity, and availability of critical infrastructure, potentially leading to unauthorized administrative access and operational disruption.[emaillocker id="1283"]
CVE-2026-47726 with a CVSS score of 7.1 - The GET /api/v1/audit-log endpoint returns the full audit log to any operator API key without admin verification, allowing an attacker with a valid operator token to enumerate cross‑tenant activity and infer sensitive operational patterns.
CVE-2026-47725 with a CVSS score of 7.0- The web UI lacks CSRF tokens on mutating /ui/* endpoints, so a malicious site can cause an authenticated operators browser to submit privileged actions such as CA deletion or key minting, requiring only the operators session cookie.
CVE-2026-47724 with a CVSS score of 9.9 - API routes trust bearer tokens without ownership checks, enabling a low‑privilege operator to create admin API keys, re‑enroll hosts, and modify any tenants resources, effectively achieving full admin takeover.
CVE-2026-47723 with a CVSS score of 7.1 - Responses from both the UI and API omit standard security headers (CSP, X‑Frame‑Options, HSTS, etc.), exposing administrators to clickjacking, MIME‑sniffing, and downgrade attacks.
CVE-2026-47722 with a CVSS score of 8.7 - User-supplied values are inserted into generated config.yml files without adequate validation. Attackers can inject arbitrary YAML directives, altering agent behavior, promoting hosts to lighthouse or relay roles, and potentially impacting mesh traffic routing and network trust relationships.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-qm33-p5p9-f8vg
https://github.com/advisories/GHSA-273q-qgh5-wrj6
https://github.com/advisories/GHSA-598g-h2vc-h5vg
https://github.com/advisories/GHSA-w7w5-5gcp-38rw
https://github.com/advisories/GHSA-7hp6-g3pq-3pc3