Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Netmaker: Unauthorized Access to Other Hosts with Valid Token
CVE-2026-29194
GHSA-hmqr-wjmj-376c
GHSA-hmqr-wjmj-376c
Summary
A security flaw in Netmaker allows anyone with a valid host token to access, modify, or delete resources belonging to other hosts. This affects various endpoints in Netmaker, including those for retrieving node info, deleting hosts, and managing MQTT signals. To fix this issue, ensure you're running the latest version of Netmaker and consider implementing additional authentication checks to prevent unauthorized access.
What to do
- Update github.com gravitl to version 1.5.0.
- Update gravitl github.com/gravitl/netmaker to version 1.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | gravitl | <= 1.5.0 | 1.5.0 |
| gravitl | github.com/gravitl/netmaker | <= 1.5.0 | 1.5.0 |
| gravitl | netmaker | <= 1.5.0 | – |
Original title
Netmaker has Insufficient Authorization in Host Token Verification
Original description
The Authorise middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorisation checks without verifying that the host is authorised to access the specific requested resource. Any entity possessing knowledge of object identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify, or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations.
> Credits
> Artem Danilov (Positive Technologies)
> Credits
> Artem Danilov (Positive Technologies)
nvd CVSS4.0
8.6
Vulnerability type
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026