SCA: security update for github.com/gravitl/netmaker (GHSA-hmqr-wjmj-376c)

high Tenable Self-Hosted Container Security Plugin ID 438498

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker
incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a
valid host token bypasses all subsequent authorization checks without verifying that the host is
authorized to access the specific requested resource. Any entity possessing knowledge of object
identifiers (node IDs, host IDs) can craft a request with an arbitrary valid host token to access, modify,
or delete resources belonging to other hosts. Affected endpoints include node info retrieval, host
deletion, MQTT signal transmission, fallback host updates, and failover operations. This issue has been
patched in version 1.5.0. (CVE-2026-29194)

Solution

Update the github.com/gravitl/netmaker library and its related packages to version 1.5.0 or later.

See Also

https://github.com/advisories/GHSA-hmqr-wjmj-376c

Plugin Details

Severity: High

ID: 438498

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/9/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.59

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2026-29194

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 6.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/9/2026

Vulnerability Publication Date: 3/7/2026

Reference Information

CVE: CVE-2026-29194

cwe: CWE-863