How serious is CVE-2026-29195?

This vulnerability has a CVSS score of 6.9 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-29195?

Yes, proof-of-concept exploit code for CVE-2026-29195 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-29195?

CVE-2026-29195 affects gravitl netmaker. Check the full CVE details for specific version information.

How do I fix CVE-2026-29195?

To remediate CVE-2026-29195, check for security patches from gravitl. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-29195

Medium

|6.9

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker with admin privileges to elevate their own account to super-admin status during user updates, potentially gaining full control over the system. This issue only affects versions prior to 1.5.0, so upgrading to the latest version is essential to mitigate the risk.

Technical Description

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the super-admin role. This issue has been patched in version 1.5.0.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredHigh

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$1,000($500-$1K)

Vendor Response

Grade APatched in 4 days

Quick Information

Published

Mar 7, 2026

about 1 month ago

Last Modified

Mar 12, 2026

27 days ago

Vendor

gravitl

Product

netmaker

Related Vulnerabilities

CVE-2026-29196High

An attacker with a specific user role can access and steal private keys for all WireGuard configurations in a network by using certain API calls, even though the user interface hides this information. This vulnerability exists in versions prior to 1.5.0, allowing unauthorized access to sensitive data without proper ownership checks.

CVE-2026-29771High

This vulnerability allows an attacker to repeatedly shut down the Netmaker server, causing it to go offline for about three seconds each time, which can disrupt network services. Any user with access to the server can exploit this issue, making it a significant risk if not updated to version 1.2.0 or later.

CVE-2026-29194High

This vulnerability allows an attacker to use a valid host token to access, modify, or delete resources belonging to other hosts in the Netmaker system. To exploit this, the attacker only needs to know the identifiers for the targeted nodes or hosts and can do so without proper authorization checks, making it a serious risk if not updated to the patched version.