GHSA-C6V2-3FFM-VCMC

Vulnerability from github – Published: 2026-06-26 21:29 – Updated: 2026-06-26 21:29
VLAI
Summary
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)
Details

Summary

The web UI (/ui/*) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created via self-registration or OIDC) can access resources belonging to other operators.

Impact

A non-admin operator can:

  • Block or delete any other operator's host. POST /ui/hosts/{id}/block and DELETE /ui/hosts/{id} act on the URL id with no ownership check, so a non-admin can block (revoking the host's certificate via the blocklist) or delete any host in the deployment — a cross-operator denial of service.
  • Read every operator's hosts and networks. The dashboard, /ui/hosts, the host detail page, /ui/networks (including the create-form error re-render), and the /ui/events stream all return data across all operators, exposing host names, Nebula IPs, public IPs, certificate fingerprints and expiry, and network names and CIDRs.

This is the same cross-operator class as GHSA-598g; that remediation covered the JSON API but not the web read/mutation surface. The host create/edit/mobile-bundle/network-create paths and all CA-management routes were already correctly scoped.

Affected handlers (internal/web): handleHostDetail, handleHostBlock, handleHostDelete, handleDashboard, handlePartialStats, handleHosts, handleNetworks, renderNetworksError, handleHostEvents.

Conditions

Exposure requires at least one non-admin operator to exist (self-registration enabled, OIDC, or an admin-created user). A single-admin deployment with no additional operators is not affected.

Fix

A complete candidate fix with regression tests is ready in a private repository shared with the maintainer (ak2k/nebula-mesh-ghsa-web, PR #1): scope these handlers to the session operator's owned CAs (admins keep the full view), mirroring the API's ownership checks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/juev/nebula-mesh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:29:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe web UI (`/ui/*`) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created via self-registration or OIDC) can access resources belonging to other operators.\n\n## Impact\n\nA non-admin operator can:\n\n- **Block or delete any other operator\u0027s host.** `POST /ui/hosts/{id}/block` and `DELETE /ui/hosts/{id}` act on the URL `id` with no ownership check, so a non-admin can block (revoking the host\u0027s certificate via the blocklist) or delete any host in the deployment \u2014 a cross-operator denial of service.\n- **Read every operator\u0027s hosts and networks.** The dashboard, `/ui/hosts`, the host detail page, `/ui/networks` (including the create-form error re-render), and the `/ui/events` stream all return data across all operators, exposing host names, Nebula IPs, public IPs, certificate fingerprints and expiry, and network names and CIDRs.\n\nThis is the same cross-operator class as GHSA-598g; that remediation covered the JSON API but not the web read/mutation surface. The host create/edit/mobile-bundle/network-create paths and all CA-management routes were already correctly scoped.\n\nAffected handlers (`internal/web`): `handleHostDetail`, `handleHostBlock`, `handleHostDelete`, `handleDashboard`, `handlePartialStats`, `handleHosts`, `handleNetworks`, `renderNetworksError`, `handleHostEvents`.\n\n## Conditions\n\nExposure requires at least one non-admin operator to exist (self-registration enabled, OIDC, or an admin-created user). A single-admin deployment with no additional operators is not affected.\n\n## Fix\n\nA complete candidate fix with regression tests is ready in a private repository shared with the maintainer (`ak2k/nebula-mesh-ghsa-web`, PR #1): scope these handlers to the session operator\u0027s owned CAs (admins keep the full view), mirroring the API\u0027s ownership checks.",
  "id": "GHSA-c6v2-3ffm-vcmc",
  "modified": "2026-06-26T21:29:02Z",
  "published": "2026-06-26T21:29:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-c6v2-3ffm-vcmc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juev/nebula-mesh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…