github.com/juev/nebula-mesh
Go8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/juev/nebula-meshpage 1 of 1
- CVE-2026-47722HIGHCVSS 0.0EG 0.0✓ Fixed in 0.3.22026-06-08
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml `internal/configgen/generator.go:86,108,119` interpolates the operator-supplied `ListenHost` and `TunDevice` fields raw into a `text/template` that produces t…
- CVE-2026-47723HIGHCVSS 0.0EG 0.0✓ Fixed in 0.3.12026-06-08
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.) None of the response paths in `internal/web/` or `internal/api/` set the standard browser-security headers. `grep` for `Content-Security-Policy…
- CVE-2026-47724CRITICALCVSS 9.9EG 9.9✓ Fixed in 0.3.42026-06-08
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation The `/api/v1/*` route surface trusts the bearer token alone for authorisation on most endpoints. The codebase itself admits this at `internal/a…
- CVE-2026-47725HIGHCVSS 0.0EG 0.0✓ Fixed in 0.3.32026-06-08
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints Every `/ui/*` POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. `SameSite=Lax` on the session cookie prevents most cross-sit…
- CVE-2026-47726HIGHCVSS 0.0EG 0.0✓ Fixed in 0.3.22026-06-08
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator `internal/api/audit.go:12` — `handleGetAuditLog` does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via `sto…
- CVE-2026-47768MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.3.22026-06-10
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) `internal/web/operators.go:251` — after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator'…
- CVE-2026-48025MEDIUMCVSS 0.0EG 0.0✓ Fixed in 0.3.72026-06-10
nebula-mesh: Decrypted CA private key persists in heap after signing `internal/pki/resolver.go:36-64` constructs a `CAManager` with the plaintext `ed25519.PrivateKey` after unwrapping via the master key; `internal/pki/ca.go:13-16` stores …
- CVE-2026-48058MEDIUMCVSS 0.0EG 0.0✓ Fixed in 0.3.22026-06-10
nebula-mesh: Session and OIDC state cookies lack the Secure attribute `internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (ope…
Check whether github.com/juev/nebula-mesh is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/juev/nebula-mesh CVEs against the assets you own.
Start Free Scan →