CVE-2026-29194 is an authorization bypass vulnerability classified under CWE-863 in the gravitl Netmaker software, which facilitates the creation of networks using WireGuard. Prior to version 1.5.0, the Authorize middleware component incorrectly validates host JWT tokens. Specifically, when a route permits host authentication (hostAllowed=true), the middleware accepts any valid host token and bypasses all subsequent authorization checks without verifying whether the host is authorized to access the requested resource. This means that an attacker who possesses a valid host token and knows object identifiers such as node IDs or host IDs can craft requests to access, modify, or delete resources that belong to other hosts. The vulnerability affects multiple critical endpoints, including node info retrieval, host deletion, MQTT signal transmission, fallback host updates, and failover operations. The flaw undermines the principle of least privilege by allowing unauthorized access based solely on possession of a valid token, without further resource-level authorization. The vulnerability has a CVSS 4.0 base score of 8.6 (high severity), reflecting its network attack vector, low complexity, no required user interaction, and significant impact on confidentiality and integrity. The issue was publicly disclosed on March 7, 2026, and patched in Netmaker version 1.5.0. No known exploits have been reported in the wild to date.

The vulnerability allows attackers to bypass fine-grained authorization controls in Netmaker, leading to unauthorized access and manipulation of network resources. This can result in exposure of sensitive network topology information, unauthorized deletion or modification of nodes and hosts, disruption of network signaling via MQTT, and interference with fallback and failover mechanisms. Such unauthorized actions could degrade network reliability, compromise data confidentiality, and potentially facilitate lateral movement or further attacks within affected networks. Organizations relying on Netmaker for WireGuard network management may face operational disruptions, data breaches, and increased risk of persistent compromise if this vulnerability is exploited. The ease of exploitation—requiring only possession of a valid host token and knowledge of object identifiers—heightens the threat, especially in environments where token leakage or insider threats are possible.

To mitigate this vulnerability, organizations should immediately upgrade all Netmaker deployments to version 1.5.0 or later, where the authorization checks have been corrected. Additionally, review and rotate host JWT tokens to limit the risk from potentially compromised tokens. Implement strict token issuance and storage policies to prevent token leakage. Employ network segmentation and monitoring to detect anomalous access patterns to Netmaker endpoints. Audit access logs for unusual activity related to node and host resource requests. Where possible, enforce additional access controls at the network or application layer to restrict access to Netmaker management interfaces. Finally, educate administrators and users about the importance of safeguarding authentication tokens and promptly applying security patches.