CVE-2026-29196 Overview
CVE-2026-29196 is an Improper Authorization vulnerability in Gravitl Netmaker, a network management platform that creates and manages networks using WireGuard. Prior to version 1.5.0, users assigned the platform-user role can retrieve WireGuard private keys of all WireGuard configurations in a network by calling the GET /api/extclients/{network} or GET /api/nodes/{network} API endpoints. While the Netmaker UI restricts visibility of these sensitive credentials, the underlying API endpoints return full records including private keys without filtering based on the requesting user's ownership.
Critical Impact
This vulnerability allows any authenticated platform-user to access WireGuard private keys across the entire network, potentially compromising the confidentiality of encrypted network communications and enabling unauthorized access to protected network segments.
Affected Products
- Gravitl Netmaker versions prior to 1.5.0
Discovery Timeline
- 2026-03-07 - CVE CVE-2026-29196 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-29196
Vulnerability Analysis
This vulnerability stems from a broken access control implementation (CWE-863: Incorrect Authorization) in Netmaker's REST API. The fundamental issue is a disconnect between the authorization checks enforced at the UI layer versus the API layer. While the web interface properly restricts users from viewing WireGuard configurations they do not own, the backend API endpoints fail to implement equivalent authorization checks.
When a user with the platform-user role makes authenticated requests to the /api/extclients/{network} or /api/nodes/{network} endpoints, the API returns complete configuration records for all external clients and nodes within the specified network. These records include sensitive WireGuard private keys that should only be accessible to the configuration owner or administrators.
The exposure of WireGuard private keys has severe security implications. An attacker with valid platform-user credentials could decrypt all traffic protected by the compromised keys, impersonate legitimate network nodes, establish unauthorized VPN connections, and potentially pivot to attack internal network resources.
Root Cause
The root cause is insufficient server-side authorization validation on the API endpoints. The application relies on UI-level access controls rather than implementing proper authorization checks at the API layer. This violates the principle of defense in depth and allows direct API access to bypass intended access restrictions. The API fails to filter returned records based on the authenticated user's ownership or role permissions.
Attack Vector
The attack requires network access to the Netmaker API and valid credentials for an account with platform-user role privileges. An attacker authenticates to the Netmaker API using their platform-user credentials and then issues GET requests to the vulnerable endpoints (/api/extclients/{network} or /api/nodes/{network}). The API returns full configuration objects including WireGuard private keys for all clients and nodes in the network, regardless of ownership. The attacker can then use the extracted private keys to decrypt network traffic, impersonate nodes, or establish unauthorized connections.
Detection Methods for CVE-2026-29196
Indicators of Compromise
- Unusual or excessive API requests to /api/extclients/{network} or /api/nodes/{network} endpoints from non-administrative users
- Platform-user accounts accessing external client or node configurations they do not own
- Unexpected WireGuard connection attempts using keys that should not be accessible to certain users
- API access logs showing bulk retrieval of network configurations by low-privileged accounts
Detection Strategies
- Implement API audit logging to track all requests to sensitive endpoints and the user context making those requests
- Monitor for anomalous patterns where platform-user accounts access configuration data for resources they did not create
- Deploy web application firewall (WAF) rules to alert on suspicious patterns of API enumeration
- Review access logs for systematic enumeration of network endpoints
Monitoring Recommendations
- Enable detailed logging on Netmaker API endpoints, particularly for authentication and configuration retrieval operations
- Set up alerting for failed and successful authentication attempts followed by bulk API queries
- Establish baseline behavior for platform-user API access patterns to detect deviations
- Monitor WireGuard connection logs for connections from unexpected source IPs or using keys that should be compartmentalized
How to Mitigate CVE-2026-29196
Immediate Actions Required
- Upgrade Gravitl Netmaker to version 1.5.0 or later immediately
- Rotate all WireGuard private keys that may have been exposed through vulnerable Netmaker deployments
- Audit API access logs to identify any unauthorized access to sensitive configuration endpoints
- Review platform-user accounts for any suspicious activity or unauthorized access patterns
Patch Information
Gravitl has released version 1.5.0 of Netmaker which addresses this vulnerability by implementing proper authorization checks on the affected API endpoints. The fix ensures that API responses are filtered based on the requesting user's ownership and role permissions, aligning API-level security with the UI restrictions. For more details, see the GitHub Release v1.5.0 and the GitHub Security Advisory GHSA-4hgg-c4rr-6h7f.
Workarounds
- If immediate patching is not possible, consider implementing network-level access controls to restrict API access to trusted administrative networks only
- Temporarily revoke platform-user role access for non-essential users until the patch can be applied
- Deploy a reverse proxy with authorization rules to filter sensitive fields from API responses
- Monitor and alert on all API access to the affected endpoints until patching is complete
# Verify Netmaker version after upgrade
netmaker version
# Expected output should show v1.5.0 or higher
# Review recent API access logs for suspicious activity
grep -E "GET /api/(extclients|nodes)/" /var/log/netmaker/access.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
