CVE-2026-53603

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

nebula-mesh: Operator session tokens stored in plaintext in the database

Impact

Operator session tokens are stored in plaintext in the operator_sessions table (the token column is the PRIMARY KEY). The session token is a 32-byte random hex value sent directly in a cookie and valid for 24 hours.

  • internal/models/operator.go:61OperatorSession.Token holds the plaintext token.
  • internal/store/sqlite_operators.go:590CreateOperatorSession inserts sess.Token verbatim.
  • internal/store/sqlite_operators.go:603,642,681,698 — lookups/updates/deletes use WHERE token = ? against the plaintext value.

Anyone who can read the database (backup, snapshot, file copy, or SQL-level disclosure) obtains every active session token and can hijack operator sessions directly, with no further authentication.

This is functionally identical to the plaintext enrollment-token issue fixed in GHSA-ghmh-jhmj-wcmf. API keys (OperatorAPIKey.KeyHash) and enrollment tokens (EnrollmentToken.TokenHash) already store only a SHA256 hash; session tokens were missed.

Patches

Store only a SHA256 hash of the session token, mirroring API keys and enrollment tokens:

  • Add a HashSessionToken helper (alongside the existing token-hash helpers).
  • Migration to add a token_hash column.
  • Update CreateOperatorSession, PromoteOperatorSession, and GetOperatorBySession to write/look up by hash.
  • Drop the plaintext token column in a follow-up migration.

Sessions are ephemeral (24h TTL), so all active sessions can be invalidated on deployment — no backward compatibility needed.

Workarounds

Restrict and encrypt database backups; rotate the operator database. These mitigate exposure but do not fix the underlying storage of plaintext tokens.

Resources

  • internal/models/operator.go:58-66
  • internal/store/sqlite_operators.go:577-698
  • Migration 005_operators.up.sql:27
  • Prior related advisory: GHSA-ghmh-jhmj-wcmf

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-53603(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 20:56 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-53603?
CVE-2026-53603 is a high vulnerability published on July 14, 2026. nebula-mesh: Operator session tokens stored in plaintext in the database Impact Operator session tokens are stored in plaintext in the operator_sessions table (the token column is the PRIMARY KEY). The session token is a 32-byte random hex value sent directly in a cookie and valid for 24 hours.…
When was CVE-2026-53603 disclosed?
CVE-2026-53603 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-53603?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53603, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53603

Explore →

Is Your Infrastructure Affected by CVE-2026-53603?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.