CVE-2026-47724 - nebula-mesh API ownership authorization bypass
nebula-mesh versions before 0.3.4 trusted an authenticated bearer token for
many /api/v1/* API routes without consistently checking whether the operator
owned the target resource. A non-admin operator could use affected endpoints to
mint or manage API keys, reenroll hosts, mutate host/network/firewall state, or
access mobile bundles outside their owned certificate-authority boundary.
This is an authorization boundary failure, not a missing-authentication bug. A safe remediation must preserve the existing authenticated API shape while adding per-resource authorization gates that match the web layer’s ownership model.
When to use it
Use this recipe when a Go service depends on nebula-mesh or carries an
equivalent authenticated API where operators, hosts, networks, firewall rules,
mobile bundles, API keys, or certificate-authority resources need per-owner
authorization. It is designed for source-code remediation, tenant/ownership
boundary review, audit-log evidence, and regression tests proving non-owner
operators receive 403.
Inputs
- nebula-mesh version, Go module/vendor state, API route inventory, operator role model, ownership schema, web/API authorization helpers, and deployment manifests or generated dependency reports.
- Source paths for operator API keys, host reenrollment, host/network/firewall handlers, mobile bundles, CA access, auth middleware, audit logging, and test fixtures.
- Regression fixtures for admin success, owner success, non-owner denial, missing-resource denial, mobile-bundle access, API-key minting, and audit-log behavior.
- Boundary evidence: tenant/operator ownership rules, privileged endpoint list, production API exposure, logs, migration owner, and rollout owner.
Affected versions
- Vulnerable package:
github.com/juev/nebula-mesh <0.3.4 - Fixed package:
github.com/juev/nebula-mesh 0.3.4+ - Affected surface: API handlers for operator management, hosts, networks, firewall rules, reenrollment, and mobile bundles
- Required attacker capability: any valid non-admin operator API key
- Weakness: missing authorization checks after authentication
Indicator-of-exposure
- The repository depends on, vendors, forks, deploys, or packages
github.com/juev/nebula-meshbefore0.3.4. - Product code carries equivalent API handlers that authorize only on bearer token presence and not on the target operator, host, network, or CA owner.
- Routes such as
/api/v1/operators/*/api-keys,/api/v1/hosts/*/reenroll,/api/v1/hosts*,/api/v1/networks*,/api/v1/networks/*/firewall, or/api/v1/hosts/*/mobile-bundleare reachable by non-admin operators. - Tests cover admin success paths but not non-owner operator denial paths.
- Audit logs do not clearly record forbidden cross-operator attempts.
Quick checks:
rg -n "nebula-mesh|github.com/juev/nebula-mesh|handleCreateOperatorAPIKey|handleReenroll|mintEnrollmentTokenForHost|mobile-bundle|canAccessCA|actorIsAdmin|loadAccessibleCA|/api/v1/(hosts|networks|operators)" .
go list -m -json github.com/juev/nebula-mesh
rg -n "requireAdmin|requireOperatorAccess|requireHostAccess|requireNetworkAccess|403|forbidden|audit" internal tests . 2>/dev/null
Windows:
rg -n "nebula-mesh|github.com/juev/nebula-mesh|handleCreateOperatorAPIKey|handleReenroll|mintEnrollmentTokenForHost|mobile-bundle|canAccessCA|actorIsAdmin|loadAccessibleCA|/api/v1/(hosts|networks|operators)" .
go list -m -json github.com/juev/nebula-mesh
rg -n "requireAdmin|requireOperatorAccess|requireHostAccess|requireNetworkAccess|403|forbidden|audit" internal tests .
Do not mint real admin API keys, reenroll live hosts, revoke another operator’s keys, or mutate live firewall/network state while validating exposure.
Remediation strategy
- Upgrade every controlled
github.com/juev/nebula-meshdependency, vendor tree, container image, SBOM, generated dependency report, and deployment manifest to0.3.4+. - If this repository maintains a fork or equivalent API surface, add shared fail-closed helpers for admin-only actions and owner-scoped host, network, firewall, and mobile-bundle actions.
- Resolve the actor from the authenticated API key, load the target resource,
map the resource to its owning operator or CA, and return
403for non-owner non-admin actors before any state change or secret material is produced. - Preserve existing admin behavior and any explicitly documented legacy config key behavior only where product policy still requires it.
- Add audit events for forbidden cross-operator API attempts without logging bearer tokens, enrollment tokens, private keys, mobile bundle contents, or certificate material.
- Review logs and rotate operator API keys if non-admin operators could reach vulnerable endpoints before the fix.
The prompt
You are remediating CVE-2026-47724 / GHSA-598g-h2vc-h5vg, a critical
nebula-mesh API authorization bypass where authenticated non-admin operators can
act on resources they do not own. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades nebula-mesh, enforces
per-resource API authorization, adds non-owner denial tests, refreshes
generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected nebula-mesh
dependency, fork, deployment, or API authorization surface.
## Rules
- Scope only CVE-2026-47724 / GHSA-598g-h2vc-h5vg and directly related
cross-operator API authorization controls.
- Treat bearer tokens, enrollment tokens, private keys, mobile bundles,
certificates, firewall rules, host identity, and operator metadata as
sensitive.
- Do not mint admin keys with a low-privilege token, reenroll live hosts,
revoke real operator keys, download mobile bundles, or mutate live network or
firewall state to prove exposure.
- Do not remove API routes, operator roles, audit logs, or tests just to silence
the advisory.
- Do not auto-merge.
## Steps
1. Inventory every controlled nebula-mesh reference: `go.mod`, `go.sum`,
vendored source, forks, Dockerfiles, Compose files, Helm/Kubernetes
manifests, Terraform, generated dependency reports, SBOMs, and runbooks.
2. Determine every resolved `github.com/juev/nebula-mesh` version. A target is
vulnerable if it resolves below `0.3.4`.
3. Search API handlers for authorization based only on an authenticated bearer
token. Include operator API-key endpoints, host reenrollment, host CRUD,
network CRUD, firewall update, and mobile-bundle routes.
4. If this repository only integrates with an externally owned nebula-mesh
service, stop with `TRIAGE.md` naming the owner, files checked, and required
fixed version `0.3.4+`.
5. Upgrade controlled dependencies and generated artifacts to `0.3.4+`.
6. For forks or equivalent code, add shared authorization helpers:
- `requireAdmin` for operator-management actions;
- `requireOperatorAccess` when the target operator id is explicit;
- `requireHostAccess` for host and reenrollment routes;
- `requireNetworkAccess` for network and firewall routes;
- a mobile-bundle gate tied to the host or CA owner.
7. Ensure each helper loads the target resource, resolves its owner or CA, and
allows only admin actors or the owning operator before any state change,
token issuance, certificate write, or bundle generation occurs.
8. Return `403 forbidden` for non-owner non-admin callers and emit an audit
event with actor id, target id, route, and reason. Do not log secrets.
9. Add regression tests:
- admin actors can still perform intended operations;
- owning non-admin operators can act only on owned resources;
- non-owner non-admin operators receive 403 for every affected route;
- unauthenticated callers still receive the existing 401;
- denied requests do not create API keys, enrollment tokens, certificates,
firewall changes, or mobile bundles.
10. Add a PR body section named `CVE-2026-47724 operator actions` that states:
- nebula-mesh versions before and after;
- which API routes were patched or triaged;
- how actor ownership is resolved;
- whether legacy config-key behavior remains and why;
- whether operator keys, enrollment tokens, or certificates need review or
rotation;
- which validation commands passed.
11. Run available validation: `go test ./...`, route/authz tests, API smoke
tests with synthetic users only, lint/static analysis, container build,
deployment rendering, SBOM refresh, and dependency/security scans.
12. Use PR title:
`fix(sec): remediate CVE-2026-47724 in nebula-mesh API authz`.
## Stop conditions
- No affected nebula-mesh dependency, fork, deployment manifest, or equivalent
API authorization surface is controlled by this repository.
- The affected service is owned by another team or vendor; document the owner
and required fixed version in `TRIAGE.md`.
- A safe fix requires changing tenant ownership semantics outside this
repository's authority.
- Verification would require using real operator tokens, generating real
enrollment tokens, reenrolling live hosts, or mutating production state.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades nebula-mesh or patches equivalent handlers, adds fail-closed ownership helpers, covers non-owner denial tests, and documents audit/operator actions.
- Or a
TRIAGE.mdfile that lists inspected modules/handlers, owner, observed version, API ownership boundary, privileged routes, required fix, and residual risk. - The output must include exact validation commands and must not mint real API keys, reenroll live hosts, mutate production firewall/network state, or expose operator secrets.
Verification - what the reviewer looks for
- No controlled module, vendor tree, image, SBOM, or deployment target resolves
github.com/juev/nebula-mesh <0.3.4. - Every affected API handler checks target ownership or admin status before producing tokens, bundles, certificates, or state changes.
- Non-owner non-admin tests return 403 for operator API-key, host, reenroll, network, firewall, and mobile-bundle routes.
- Audit logs capture denied cross-operator attempts without token or key material.
- Operator notes cover key, enrollment-token, certificate, and host-ownership review when vulnerable endpoints were exposed.
Watch for
- Fixing web routes while API routes still trust bearer authentication alone.
- Adding checks after the API key, enrollment token, certificate, or mobile bundle has already been generated.
- Treating list/read routes as low risk even though operator rosters, hosts, networks, and firewall rules reveal tenant topology.
- Keeping legacy admin fallback behavior without a documented product/security decision.
Related recipes
- Source code authz tenant boundary audit
- Source code attack surface map
- OWASP Top 10 2026 audit
- NIST SSDF repository evidence check
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-598g-h2vc-h5vg
- Source repository: https://github.com/juev/nebula-mesh
- Fix reference: https://github.com/forgekeep/nebula-mesh/commit/9d8bcd7