CVE-2026-49258

HIGHPre-NVD 8.88.8
EchelonGraph scoreHIGH confidence

Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2026-06-26. the CNA's CVSS baseline 8.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)

Summary

The web UI (/ui/*) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created via self-registration or OIDC) can access resources belonging to other operators.

Impact

A non-admin operator can:

  • Block or delete any other operator's host. POST /ui/hosts/{id}/block and DELETE /ui/hosts/{id} act on the URL id with no ownership check, so a non-admin can block (revoking the host's certificate via the blocklist) or delete any host in the deployment — a cross-operator denial of service.
  • Read every operator's hosts and networks. The dashboard, /ui/hosts, the host detail page, /ui/networks (including the create-form error re-render), and the /ui/events stream all return data across all operators, exposing host names, Nebula IPs, public IPs, certificate fingerprints and expiry, and network names and CIDRs.

This is the same cross-operator class as GHSA-598g; that remediation covered the JSON API but not the web read/mutation surface. The host create/edit/mobile-bundle/network-create paths and all CA-management routes were already correctly scoped.

Affected handlers (internal/web): handleHostDetail, handleHostBlock, handleHostDelete, handleDashboard, handlePartialStats, handleHosts, handleNetworks, renderNetworksError, handleHostEvents.

Conditions

Exposure requires at least one non-admin operator to exist (self-registration enabled, OIDC, or an admin-created user). A single-admin deployment with no additional operators is not affected.

Fix

A complete candidate fix with regression tests is ready in a private repository shared with the maintainer (ak2k/nebula-mesh-ghsa-web, PR #1): scope these handlers to the session operator's owned CAs (admins keep the full view), mirroring the API's ownership checks.

CVSS v3
8.8
EG Score
8.8(high)
EPSS
KEV
Not listed

Published

June 26, 2026

Last Modified

June 26, 2026

Vendor Advisories for CVE-2026-49258(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
gogithub.com/juev/nebula-meshghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 30× in last 7d / 46× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 22:03 UTCEG score recompute
  2. 2026-07-06 22:03 UTCGHSA enrichment
  3. 2026-07-06 11:08 UTCEG score recompute
  4. 2026-07-06 11:07 UTCGHSA enrichment
  5. 2026-07-06 00:12 UTCEG score recompute
  6. 2026-07-06 00:12 UTCGHSA enrichment
  7. 2026-07-05 13:18 UTCEG score recompute
  8. 2026-07-05 13:17 UTCGHSA enrichment
  9. 2026-07-05 02:21 UTCEG score recompute
  10. 2026-07-05 02:21 UTCGHSA enrichment
  11. 2026-07-04 15:26 UTCEG score recompute
  12. 2026-07-04 15:26 UTCGHSA enrichment
  13. 2026-07-04 04:32 UTCEG score recompute
  14. 2026-07-04 04:31 UTCGHSA enrichment
  15. 2026-07-03 17:31 UTCEG score recompute
  16. 2026-07-03 17:30 UTCGHSA enrichment
  17. 2026-07-03 06:36 UTCEG score recompute
  18. 2026-07-03 06:36 UTCGHSA enrichment
  19. 2026-07-02 19:37 UTCEG score recompute
  20. 2026-07-02 19:37 UTCGHSA enrichment
  21. 2026-07-02 08:41 UTCEG score recompute
  22. 2026-07-02 08:41 UTCGHSA enrichment
  23. 2026-07-01 21:46 UTCEG score recompute
  24. 2026-07-01 21:46 UTCGHSA enrichment
  25. 2026-07-01 10:52 UTCEG score recompute
Show 21 more
  1. 2026-07-01 10:52 UTCGHSA enrichment
  2. 2026-06-30 23:55 UTCEG score recompute
  3. 2026-06-30 23:55 UTCGHSA enrichment
  4. 2026-06-30 13:01 UTCEG score recompute
  5. 2026-06-30 13:00 UTCGHSA enrichment
  6. 2026-06-30 02:05 UTCEG score recompute
  7. 2026-06-30 02:05 UTCGHSA enrichment
  8. 2026-06-29 15:10 UTCEG score recompute
  9. 2026-06-29 15:10 UTCGHSA enrichment
  10. 2026-06-29 04:14 UTCEG score recompute
  11. 2026-06-29 04:14 UTCGHSA enrichment
  12. 2026-06-28 17:20 UTCEG score recompute
  13. 2026-06-28 17:20 UTCGHSA enrichment
  14. 2026-06-28 06:26 UTCEG score recompute
  15. 2026-06-28 06:25 UTCGHSA enrichment
  16. 2026-06-27 19:29 UTCEG score recompute
  17. 2026-06-27 19:29 UTCGHSA enrichment
  18. 2026-06-27 08:35 UTCEG score recompute
  19. 2026-06-27 08:35 UTCGHSA enrichment
  20. 2026-06-26 21:40 UTCEG score recompute
  21. 2026-06-26 21:40 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-49258?
CVE-2026-49258 is a high vulnerability published on June 26, 2026. Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete) Summary The web UI (/ui/*) does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator (for example, one created…
When was CVE-2026-49258 disclosed?
CVE-2026-49258 was first published in the National Vulnerability Database on June 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49258?
CVE-2026-49258 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-49258?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49258, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49258

Explore →

Is Your Infrastructure Affected by CVE-2026-49258?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.