CVE-2026-47725

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints

Every /ui/* POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect:

  • top-level form-submit navigations from third-party pages (some browsers still send Lax cookies on top-level POSTs)
  • same-registrable-domain attackers (sibling-subdomain XSS, subdomain takeover)
  • the GET /ui/logout route, which a third-party ` can force-trigger

The admin UI signs CA certificates, mints API keys, rotates / retires / deletes CAs, disables operators, and changes server settings. CSRF here is a real privilege escalation, not just annoyance.

Affected

All released versions up to v0.3.2.

Suggested fix

Double-submit cookie: a 32-byte
crypto/rand token in a non-HttpOnly _csrf cookie, echoed in either X-CSRF-Token (htmx) or a _csrf form field (HTML forms). Compared in constant time. Rotated on every privilege transition (Login, OIDC StartAuthenticatedSession, CompleteTwoFactor, Logout) so pre-auth fixation cannot survive promotion. Rejections audit-logged as ui.csrf.rejected with reason; response body stays opaque.

/ui/logout becomes POST so it is no longer reachable via tags.

Fix coordinates with the Secure-cookie advisory disclosed concurrently — the _csrf cookie inherits the same Secure-attribute derivation.

Reproducer

With an authenticated operator session in browser tab A, open the following minimal HTML in any other tab:

Click for free puppy

Click. The CA is deleted — the server processes the POST because the session cookie is automatically attached and there is no other check. The same trick works for force-rotate, retire, mint API keys, disable operators, etc.

Alternative force-logout: placed on an attacker's page logs out any visiting authenticated operator. No interaction required.

Notes

  • Multipart and JSON endpoints don't exist in the current UI surface. Future additions must rely on the header path because r.PostFormValue only reads application/x-www-form-urlencoded` bodies. The middleware's package comment documents this.
  • The patch assumes nebula-mgmt is the sole authority on its registrable domain. A compromised sibling subdomain can still set parent-domain cookies and forge matches; SameSite=Lax does not prevent that. Documented in the patch.

CVSS v3
EG Score
0.0(none)
EPSS
2.3%
KEV
Not listed

Published

June 8, 2026

Last Modified

June 8, 2026

Vendor Advisories for CVE-2026-47725(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/juev/nebula-mesh0.3.3

Data Freshness Timeline

(refreshed 0× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-14 23:18 UTCEPSS rescore
  2. 2026-06-14 12:00 UTCEG score recompute
  3. 2026-06-13 23:00 UTCEPSS rescore
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-08 23:32 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-47725?
CVE-2026-47725 is a high vulnerability published on June 8, 2026. nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints Every /ui/* POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect: top-level form-submit…
When was CVE-2026-47725 disclosed?
CVE-2026-47725 was first published in the National Vulnerability Database on June 8, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47725 actively exploited?
CVE-2026-47725 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 2.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-47725?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47725, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47725

Explore →

Is Your Infrastructure Affected by CVE-2026-47725?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.