Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Netmaker allows non-admins to access WireGuard private keys
CVE-2026-29196
GHSA-4hgg-c4rr-6h7f
GHSA-4hgg-c4rr-6h7f
Summary
A user with a specific role in Netmaker can access private keys for all WireGuard configurations in a network through the API. This could allow unauthorized access to sensitive network information. Update to version 1.5.0 or later to fix this issue.
What to do
- Update github.com gravitl to version 1.5.0.
- Update gravitl github.com/gravitl/netmaker to version 1.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | gravitl | <= 1.5.0 | 1.5.0 |
| gravitl | github.com/gravitl/netmaker | <= 1.5.0 | 1.5.0 |
| gravitl | netmaker | <= 1.5.0 | – |
Original title
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/...
Original description
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.
nvd CVSS4.0
8.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026