CVE-2026-47724 - nebula-mesh API ownership authorization bypass

nebula-mesh versions before 0.3.4 trusted an authenticated bearer token for many /api/v1/* API routes without consistently checking whether the operator owned the target resource. A non-admin operator could use affected endpoints to mint or manage API keys, reenroll hosts, mutate host/network/firewall state, or access mobile bundles outside their owned certificate-authority boundary.

This is an authorization boundary failure, not a missing-authentication bug. A safe remediation must preserve the existing authenticated API shape while adding per-resource authorization gates that match the web layer’s ownership model.

When to use it

Use this recipe when a Go service depends on nebula-mesh or carries an equivalent authenticated API where operators, hosts, networks, firewall rules, mobile bundles, API keys, or certificate-authority resources need per-owner authorization. It is designed for source-code remediation, tenant/ownership boundary review, audit-log evidence, and regression tests proving non-owner operators receive 403.

Inputs

  • nebula-mesh version, Go module/vendor state, API route inventory, operator role model, ownership schema, web/API authorization helpers, and deployment manifests or generated dependency reports.
  • Source paths for operator API keys, host reenrollment, host/network/firewall handlers, mobile bundles, CA access, auth middleware, audit logging, and test fixtures.
  • Regression fixtures for admin success, owner success, non-owner denial, missing-resource denial, mobile-bundle access, API-key minting, and audit-log behavior.
  • Boundary evidence: tenant/operator ownership rules, privileged endpoint list, production API exposure, logs, migration owner, and rollout owner.

Affected versions

  • Vulnerable package: github.com/juev/nebula-mesh <0.3.4
  • Fixed package: github.com/juev/nebula-mesh 0.3.4+
  • Affected surface: API handlers for operator management, hosts, networks, firewall rules, reenrollment, and mobile bundles
  • Required attacker capability: any valid non-admin operator API key
  • Weakness: missing authorization checks after authentication

Indicator-of-exposure

  • The repository depends on, vendors, forks, deploys, or packages github.com/juev/nebula-mesh before 0.3.4.
  • Product code carries equivalent API handlers that authorize only on bearer token presence and not on the target operator, host, network, or CA owner.
  • Routes such as /api/v1/operators/*/api-keys, /api/v1/hosts/*/reenroll, /api/v1/hosts*, /api/v1/networks*, /api/v1/networks/*/firewall, or /api/v1/hosts/*/mobile-bundle are reachable by non-admin operators.
  • Tests cover admin success paths but not non-owner operator denial paths.
  • Audit logs do not clearly record forbidden cross-operator attempts.

Quick checks:

rg -n "nebula-mesh|github.com/juev/nebula-mesh|handleCreateOperatorAPIKey|handleReenroll|mintEnrollmentTokenForHost|mobile-bundle|canAccessCA|actorIsAdmin|loadAccessibleCA|/api/v1/(hosts|networks|operators)" .
go list -m -json github.com/juev/nebula-mesh
rg -n "requireAdmin|requireOperatorAccess|requireHostAccess|requireNetworkAccess|403|forbidden|audit" internal tests . 2>/dev/null

Windows:

rg -n "nebula-mesh|github.com/juev/nebula-mesh|handleCreateOperatorAPIKey|handleReenroll|mintEnrollmentTokenForHost|mobile-bundle|canAccessCA|actorIsAdmin|loadAccessibleCA|/api/v1/(hosts|networks|operators)" .
go list -m -json github.com/juev/nebula-mesh
rg -n "requireAdmin|requireOperatorAccess|requireHostAccess|requireNetworkAccess|403|forbidden|audit" internal tests .

Do not mint real admin API keys, reenroll live hosts, revoke another operator’s keys, or mutate live firewall/network state while validating exposure.

Remediation strategy

  • Upgrade every controlled github.com/juev/nebula-mesh dependency, vendor tree, container image, SBOM, generated dependency report, and deployment manifest to 0.3.4+.
  • If this repository maintains a fork or equivalent API surface, add shared fail-closed helpers for admin-only actions and owner-scoped host, network, firewall, and mobile-bundle actions.
  • Resolve the actor from the authenticated API key, load the target resource, map the resource to its owning operator or CA, and return 403 for non-owner non-admin actors before any state change or secret material is produced.
  • Preserve existing admin behavior and any explicitly documented legacy config key behavior only where product policy still requires it.
  • Add audit events for forbidden cross-operator API attempts without logging bearer tokens, enrollment tokens, private keys, mobile bundle contents, or certificate material.
  • Review logs and rotate operator API keys if non-admin operators could reach vulnerable endpoints before the fix.

The prompt

You are remediating CVE-2026-47724 / GHSA-598g-h2vc-h5vg, a critical
nebula-mesh API authorization bypass where authenticated non-admin operators can
act on resources they do not own. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades nebula-mesh, enforces
  per-resource API authorization, adds non-owner denial tests, refreshes
  generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected nebula-mesh
  dependency, fork, deployment, or API authorization surface.

## Rules

- Scope only CVE-2026-47724 / GHSA-598g-h2vc-h5vg and directly related
  cross-operator API authorization controls.
- Treat bearer tokens, enrollment tokens, private keys, mobile bundles,
  certificates, firewall rules, host identity, and operator metadata as
  sensitive.
- Do not mint admin keys with a low-privilege token, reenroll live hosts,
  revoke real operator keys, download mobile bundles, or mutate live network or
  firewall state to prove exposure.
- Do not remove API routes, operator roles, audit logs, or tests just to silence
  the advisory.
- Do not auto-merge.

## Steps

1. Inventory every controlled nebula-mesh reference: `go.mod`, `go.sum`,
   vendored source, forks, Dockerfiles, Compose files, Helm/Kubernetes
   manifests, Terraform, generated dependency reports, SBOMs, and runbooks.
2. Determine every resolved `github.com/juev/nebula-mesh` version. A target is
   vulnerable if it resolves below `0.3.4`.
3. Search API handlers for authorization based only on an authenticated bearer
   token. Include operator API-key endpoints, host reenrollment, host CRUD,
   network CRUD, firewall update, and mobile-bundle routes.
4. If this repository only integrates with an externally owned nebula-mesh
   service, stop with `TRIAGE.md` naming the owner, files checked, and required
   fixed version `0.3.4+`.
5. Upgrade controlled dependencies and generated artifacts to `0.3.4+`.
6. For forks or equivalent code, add shared authorization helpers:
   - `requireAdmin` for operator-management actions;
   - `requireOperatorAccess` when the target operator id is explicit;
   - `requireHostAccess` for host and reenrollment routes;
   - `requireNetworkAccess` for network and firewall routes;
   - a mobile-bundle gate tied to the host or CA owner.
7. Ensure each helper loads the target resource, resolves its owner or CA, and
   allows only admin actors or the owning operator before any state change,
   token issuance, certificate write, or bundle generation occurs.
8. Return `403 forbidden` for non-owner non-admin callers and emit an audit
   event with actor id, target id, route, and reason. Do not log secrets.
9. Add regression tests:
   - admin actors can still perform intended operations;
   - owning non-admin operators can act only on owned resources;
   - non-owner non-admin operators receive 403 for every affected route;
   - unauthenticated callers still receive the existing 401;
   - denied requests do not create API keys, enrollment tokens, certificates,
     firewall changes, or mobile bundles.
10. Add a PR body section named `CVE-2026-47724 operator actions` that states:
    - nebula-mesh versions before and after;
    - which API routes were patched or triaged;
    - how actor ownership is resolved;
    - whether legacy config-key behavior remains and why;
    - whether operator keys, enrollment tokens, or certificates need review or
      rotation;
    - which validation commands passed.
11. Run available validation: `go test ./...`, route/authz tests, API smoke
    tests with synthetic users only, lint/static analysis, container build,
    deployment rendering, SBOM refresh, and dependency/security scans.
12. Use PR title:
    `fix(sec): remediate CVE-2026-47724 in nebula-mesh API authz`.

## Stop conditions

- No affected nebula-mesh dependency, fork, deployment manifest, or equivalent
  API authorization surface is controlled by this repository.
- The affected service is owned by another team or vendor; document the owner
  and required fixed version in `TRIAGE.md`.
- A safe fix requires changing tenant ownership semantics outside this
  repository's authority.
- Verification would require using real operator tokens, generating real
  enrollment tokens, reenrolling live hosts, or mutating production state.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades nebula-mesh or patches equivalent handlers, adds fail-closed ownership helpers, covers non-owner denial tests, and documents audit/operator actions.
  • Or a TRIAGE.md file that lists inspected modules/handlers, owner, observed version, API ownership boundary, privileged routes, required fix, and residual risk.
  • The output must include exact validation commands and must not mint real API keys, reenroll live hosts, mutate production firewall/network state, or expose operator secrets.

Verification - what the reviewer looks for

  • No controlled module, vendor tree, image, SBOM, or deployment target resolves github.com/juev/nebula-mesh <0.3.4.
  • Every affected API handler checks target ownership or admin status before producing tokens, bundles, certificates, or state changes.
  • Non-owner non-admin tests return 403 for operator API-key, host, reenroll, network, firewall, and mobile-bundle routes.
  • Audit logs capture denied cross-operator attempts without token or key material.
  • Operator notes cover key, enrollment-token, certificate, and host-ownership review when vulnerable endpoints were exposed.

Watch for

  • Fixing web routes while API routes still trust bearer authentication alone.
  • Adding checks after the API key, enrollment token, certificate, or mobile bundle has already been generated.
  • Treating list/read routes as low risk even though operator rosters, hosts, networks, and firewall rules reveal tenant topology.
  • Keeping legacy admin fallback behavior without a documented product/security decision.

References