How serious is CVE-2026-29196?

This vulnerability has a CVSS score of 8.7 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-29196?

CVE-2026-29196 affects gravitl netmaker. Check the full CVE details for specific version information.

How do I fix CVE-2026-29196?

To remediate CVE-2026-29196, check for security patches from gravitl. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-29196

High

|8.7

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker with a specific user role can access and steal private keys for all WireGuard configurations in a network by using certain API calls, even though the user interface hides this information. This vulnerability exists in versions prior to 1.5.0, allowing unauthorized access to sensitive data without proper ownership checks.

Technical Description

Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without filtering based on the requesting user's ownership. This issue has been patched in version 1.5.0.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$4,579($1K-$5K)

Vendor Response

Grade APatched in 4 days

Quick Information

Published

Mar 7, 2026

about 1 month ago

Last Modified

Mar 12, 2026

26 days ago

Vendor

gravitl

Product

netmaker

Related Vulnerabilities

CVE-2026-29195Medium

This vulnerability allows an attacker with admin privileges to elevate their own account to super-admin status during user updates, potentially gaining full control over the system. This issue only affects versions prior to 1.5.0, so upgrading to the latest version is essential to mitigate the risk.

CVE-2026-29771High

This vulnerability allows an attacker to repeatedly shut down the Netmaker server, causing it to go offline for about three seconds each time, which can disrupt network services. Any user with access to the server can exploit this issue, making it a significant risk if not updated to version 1.2.0 or later.

CVE-2026-29194High

This vulnerability allows an attacker to use a valid host token to access, modify, or delete resources belonging to other hosts in the Netmaker system. To exploit this, the attacker only needs to know the identifiers for the targeted nodes or hosts and can do so without proper authorization checks, making it a serious risk if not updated to the patched version.