anonhaven
Ad

CVE-2026-29195

MEDIUM CVSS 4.0: 6.9 EPSS 0.01%
Updated Mar 07, 2026
Wireguard
Parameter Value
CVSS 6.9 (MEDIUM)
Fixed In 1.5.0
Type CWE-863 (Incorrect Authorization)
Vendor Wireguard
Public PoC No

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the super-admin role.

This issue has been patched in version 1.5.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-863 Incorrect Authorization

References 2

https://github.com/gravitl/netmaker/releases/tag/v1.5.0
security-advisories@github.com
https://github.com/gravitl/netmaker/security/advisories/GHSA-ch3w-9456-38v3
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34227

Bishopfox

5.9

CVE-2026-32941

Bishopfox

7.1

CVE-2026-29196

Wireguard

8.7

CVE-2026-29781

Wireguard

5.3

CVE-2026-29771

Wireguard

8.7