A medium-severity vulnerability affecting github.com/forgekeep/nebula-mesh, identified as CVE-2026-53602 with a CVSS score of 4.9, exists in nebula-mesh due to two related authorization gaps that allow a host, blocked or offboarded by an operator, to regain a valid certificate. The flaw type is an integrity and operational revocation failure, occurring because the blocklist is not enforced during certificate signing or re-enrollment, and renewal does not re-validate operator or Certificate Authority (CA) status. An attacker with required operator-level access can issue a new enrollment token and re-enroll the host, allowing it to obtain a fresh certificate that bypasses previous revocation controls. The business impact is significant, as hosts provisioned by a disabled operator may continue renewing certificates indefinitely, preventing effective offboarding and revocation of previously trusted systems.
We recommend you to update github.com/forgekeep/nebula-mesh to version 0.7.4 or later.[/subscribe_to_unlock_form]
A medium-severity vulnerability affecting github.com/forgekeep/nebula-mesh, identified as CVE-2026-53602 with a CVSS score of 4.9, exists in nebula-mesh due to two related authorization gaps that allow a host, blocked or offboarded by an operator, to regain a valid certificate. The flaw type is an integrity and operational revocation failure, occurring because the blocklist is not enforced during certificate signing or re-enrollment, and renewal does not re-validate operator or Certificate Authority (CA) status. An attacker with required operator-level access can issue a new enrollment token and re-enroll the host, allowing it to obtain a fresh certificate that bypasses previous revocation controls. The business impact is significant, as hosts provisioned by a disabled operator may continue renewing certificates indefinitely, preventing effective offboarding and revocation of previously trusted systems.
We recommend you to update github.com/forgekeep/nebula-mesh to version 0.7.4 or later.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]