CVE-2026-29196 is an authorization bypass vulnerability classified under CWE-863 affecting gravitl Netmaker, a platform that facilitates network creation using WireGuard VPN technology. Prior to version 1.5.0, users assigned the platform-user role could exploit the API endpoints GET /api/extclients/{network} and GET /api/nodes/{network} to retrieve complete WireGuard configuration records, including private keys, for all clients within a network. The root cause is insufficient authorization checks on these API endpoints, which do not enforce ownership or role-based access control filtering, unlike the Netmaker UI that restricts visibility appropriately. This allows unauthorized users to access sensitive private keys, which are critical for establishing secure VPN tunnels. The vulnerability is remotely exploitable without authentication or user interaction, with a CVSS 4.0 base score of 8.7 (high severity), reflecting the ease of exploitation and the high impact on confidentiality. Disclosure of private keys can lead to full compromise of VPN communications, enabling attackers to intercept, decrypt, or impersonate network nodes. The vulnerability was publicly disclosed and patched in version 1.5.0 of Netmaker. No known active exploits have been reported, but the risk remains significant given the nature of the exposed data.

The primary impact of this vulnerability is the unauthorized disclosure of WireGuard private keys, which undermines the confidentiality and integrity of VPN communications managed by Netmaker. Attackers gaining access to these keys can decrypt traffic, perform man-in-the-middle attacks, or impersonate legitimate network nodes, potentially leading to lateral movement within an organization's network. This can result in data breaches, espionage, or disruption of secure communications. Organizations relying on Netmaker for secure network management are at risk, especially if they have multiple users with platform-user roles. The vulnerability affects all organizations using vulnerable Netmaker versions, regardless of size or sector, but those with sensitive or critical network infrastructures are at heightened risk. The lack of authentication or user interaction required for exploitation increases the threat level, making automated or opportunistic attacks feasible. Although no exploits are currently known in the wild, the high CVSS score and nature of the vulnerability warrant urgent remediation to prevent potential compromise.

The definitive mitigation is to upgrade Netmaker to version 1.5.0 or later, where the authorization checks on the affected API endpoints have been corrected to enforce proper ownership filtering. Until upgrade is possible, organizations should restrict platform-user role assignments to trusted personnel only and monitor API access logs for suspicious activity targeting the GET /api/extclients/{network} and GET /api/nodes/{network} endpoints. Network segmentation and limiting administrative API access via firewall rules can reduce exposure. Additionally, rotating WireGuard private keys after patching is recommended to invalidate any keys potentially exposed. Implementing strict role-based access control policies and auditing user permissions regularly will help prevent similar issues. Organizations should also consider deploying network intrusion detection systems to detect anomalous VPN-related activities. Finally, educating users about the risks of unauthorized API access and enforcing multi-factor authentication for platform users can further reduce risk.