CVE-2026-29196 in netmaker
Summary
by MITRE • 03/07/2026
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-29196 represents a critical access control flaw in the Netmaker network management platform that facilitates WireGuard network configurations. This security weakness affects versions prior to 1.5.0 and stems from improper authorization checks within the platform's API endpoints. The vulnerability specifically impacts users with the platform-user role who can exploit these endpoints to gain unauthorized access to sensitive cryptographic materials. The affected API endpoints include GET /api/extclients/{network} and GET /api/nodes/{network} which are designed to retrieve network configuration data but fail to properly validate user permissions before returning complete records containing private keys. This flaw demonstrates a fundamental failure in the principle of least privilege and demonstrates how API design can inadvertently expose sensitive information to unauthorized users.
The technical implementation of this vulnerability resides in the backend API layer where the platform fails to implement proper access control filtering mechanisms. When a user with the platform-user role makes requests to these specific endpoints, the system returns complete configuration records including WireGuard private keys without verifying whether the requesting user has legitimate access to view those particular network configurations. This represents a classic case of insufficient authorization checks where the system assumes that authenticated users can access all data within their assigned role scope without proper segmentation or ownership validation. The vulnerability is particularly dangerous because WireGuard private keys are cryptographic materials that, if compromised, would allow attackers to establish unauthorized network connections and potentially gain access to the underlying network infrastructure. This issue aligns with CWE-285 which addresses improper authorization in software systems, and specifically relates to the lack of proper access control validation in API endpoints.
The operational impact of this vulnerability extends beyond simple data exposure to encompass significant network security risks. An attacker with access to a platform-user account could potentially compromise entire network infrastructures by leveraging the exposed private keys to establish persistent connections to network nodes. This capability enables lateral movement within the network and could facilitate more sophisticated attacks such as man-in-the-middle operations or network reconnaissance activities. The vulnerability undermines the trust model of the platform by allowing users to access configuration data that should be restricted to administrators or owners of specific network configurations. From an attack perspective, this represents a privilege escalation vulnerability that could be exploited by malicious insiders or external attackers who have gained access to platform-user accounts. The implications are particularly severe given that WireGuard private keys are essential components for network authentication and encryption, making this a critical security concern for any organization relying on Netmaker for network management.
Mitigation strategies for this vulnerability should focus on implementing proper access control mechanisms at the API layer. The patched version 1.5.0 addresses this issue by introducing proper authorization checks that ensure users can only access network configurations they own or have explicit permission to view. Organizations should immediately upgrade to version 1.5.0 or later to remediate this vulnerability. Additional defensive measures include implementing network segmentation to isolate API endpoints, establishing monitoring for unusual API access patterns, and conducting regular security audits of API permissions. The platform should also implement role-based access control that enforces strict boundaries between user roles and their data access capabilities. Security teams should consider implementing automated vulnerability scanning to identify similar authorization flaws in other API endpoints and ensure proper input validation and output filtering mechanisms are in place. This vulnerability highlights the importance of comprehensive security testing of API endpoints and the need for continuous security monitoring to prevent unauthorized access to cryptographic materials. The remediation process should also include key rotation for any compromised WireGuard configurations and implementation of proper audit logging to track access to sensitive network data.