Netmaker is a platform that facilitates the creation and management of WireGuard-based networks. Prior to version 1.5.0, a critical authorization flaw (CVE-2026-29196) existed in the API endpoints GET /api/extclients/{network} and GET /api/nodes/{network}. These endpoints return full WireGuard configuration records, including private keys, without verifying whether the requesting user owns or is authorized to access those keys. Although the Netmaker UI restricts key visibility based on user ownership, the API lacks such filtering, allowing any user assigned the platform-user role to retrieve private keys for all nodes within a network. This vulnerability is classified under CWE-863 (Incorrect Authorization) and has a CVSS 4.0 score of 8.7, indicating high severity. Exploiting this flaw requires no authentication or user interaction, and the attack vector is network-based. The exposure of private keys undermines the confidentiality and integrity of WireGuard VPN communications, enabling attackers to impersonate legitimate nodes, intercept, or decrypt network traffic. The issue was addressed and patched in Netmaker version 1.5.0 by implementing proper authorization checks on these API endpoints.

The unauthorized disclosure of WireGuard private keys poses a severe risk to organizations relying on Netmaker for secure network management. Attackers gaining access to private keys can impersonate legitimate VPN nodes, intercept or decrypt sensitive communications, and potentially pivot within internal networks. This compromises confidentiality and integrity of data in transit, undermining trust in the VPN infrastructure. Organizations using affected Netmaker versions may face data breaches, loss of intellectual property, regulatory non-compliance, and operational disruptions. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of widespread abuse. Additionally, compromised VPN nodes could serve as footholds for further attacks, escalating the overall security risk.

Organizations should immediately upgrade Netmaker to version 1.5.0 or later, where the authorization flaw is patched. Until upgrading is possible, restrict platform-user role assignments to trusted personnel only and monitor API access logs for suspicious activity. Implement network segmentation and firewall rules to limit access to Netmaker API endpoints. Conduct thorough audits of existing API permissions and remove unnecessary privileges. Employ multi-factor authentication and strong access controls on management interfaces. Additionally, rotate WireGuard private keys and regenerate configurations after patching to invalidate any potentially compromised keys. Regularly review and update security policies to ensure least privilege principles are enforced for all platform users.