CVE-2026-29195 Overview
A privilege escalation vulnerability has been identified in Gravitl Netmaker, an open-source network management platform that leverages WireGuard for creating secure networks. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) contains an authorization bypass flaw that allows admin-role users to assign the super-admin role during account updates. While the application correctly prevents admin users from assigning the admin role to other users, an equivalent validation check for the super-admin role is missing, enabling unauthorized privilege escalation.
Critical Impact
Admin-level users can escalate their privileges to super-admin, potentially gaining full control over the Netmaker deployment and all connected WireGuard networks.
Affected Products
- Gravitl Netmaker versions prior to 1.5.0
Discovery Timeline
- 2026-03-07 - CVE-2026-29195 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-29195
Vulnerability Analysis
This vulnerability represents an Improper Authorization flaw (CWE-863) in Netmaker's user management API. The issue stems from incomplete access control validation in the user update endpoint, where the application fails to enforce proper role assignment restrictions.
When an admin user makes a PUT request to the /api/users/{username} endpoint to update user account details, the backend logic performs validation to prevent the admin from assigning the admin role to other users. However, the validation logic does not extend to the super-admin role. This oversight allows an authenticated admin user to modify their own account or another user's account to include the super-admin role, effectively bypassing the intended privilege hierarchy.
The vulnerability requires network access to the Netmaker API and high-level (admin) privileges to exploit. While the attack complexity is low and requires no user interaction, the prerequisite of admin access somewhat limits the immediate attack surface.
Root Cause
The root cause of this vulnerability is an incomplete authorization check in the user update handler. The application implements role-based access controls but fails to account for all sensitive role assignments. Specifically, the code path that validates role changes during user updates only checks for the admin role assignment but does not include equivalent logic for the super-admin role. This represents a logic flaw where the developers implemented partial security controls without considering all privilege levels in the role hierarchy.
Attack Vector
An attacker with admin-level access to the Netmaker deployment can exploit this vulnerability through the following attack flow:
- Authenticate to Netmaker with valid admin credentials
- Send a crafted PUT request to /api/users/{username} (either their own username or another user's)
- Include the super-admin role in the request payload
- The server processes the request without blocking the role assignment
- The attacker now has super-admin privileges, granting full control over the Netmaker instance and all managed WireGuard networks
This attack can be performed entirely over the network without requiring physical access. The vulnerability allows vertical privilege escalation from admin to super-admin, which represents a significant security boundary violation.
Detection Methods for CVE-2026-29195
Indicators of Compromise
- Unexpected role changes in user accounts, particularly assignments to super-admin role
- Audit log entries showing PUT requests to /api/users/{username} endpoints with role modifications
- Admin accounts with recently elevated super-admin privileges without proper authorization workflows
- Unusual API activity patterns from admin-level accounts targeting user management endpoints
Detection Strategies
- Implement monitoring for API calls to /api/users/{username} that include role modification parameters
- Review audit logs for any super-admin role assignments that did not follow standard authorization procedures
- Deploy web application firewall rules to detect and alert on suspicious role assignment payloads
- Conduct regular access control audits to identify unauthorized privilege escalations
Monitoring Recommendations
- Enable detailed logging for all user management API endpoints in Netmaker
- Configure alerts for any role changes involving the super-admin role
- Monitor for unusual patterns of admin user activity, especially around user update operations
- Implement real-time anomaly detection for API request patterns targeting authentication and authorization endpoints
How to Mitigate CVE-2026-29195
Immediate Actions Required
- Upgrade Netmaker to version 1.5.0 or later immediately
- Review all user accounts for unauthorized super-admin role assignments
- Audit recent API logs for suspicious PUT requests to user update endpoints
- Temporarily restrict admin account access until the patch is applied if immediate upgrade is not possible
Patch Information
Gravitl has released Netmaker version 1.5.0 which includes a fix for this vulnerability. The patch adds proper validation logic to prevent admin-role users from assigning the super-admin role during account updates. Organizations running affected versions should upgrade as soon as possible.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-ch3w-9456-38v3 and the Netmaker v1.5.0 release notes.
Workarounds
- Limit admin account distribution to only trusted personnel who require administrative access
- Implement network-level access controls to restrict API access to trusted IP ranges
- Enable comprehensive audit logging and actively monitor for role modification attempts
- Consider implementing additional authentication layers such as multi-factor authentication for admin accounts
- Review and remove unnecessary admin accounts to reduce the attack surface
# Upgrade Netmaker to patched version
# Stop the current Netmaker instance
docker-compose down
# Pull the latest patched version
docker pull gravitl/netmaker:v1.5.0
# Update docker-compose.yml to use version 1.5.0
# Restart with the patched version
docker-compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
