{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38651", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T17:34:42.863Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T15:44:00.225Z"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b"}, {"url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"}, {"url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-347", "lang": "en", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "references": [{"url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass/", "tags": ["exploit"]}, {"url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T17:34:36.148138Z", "id": "CVE-2026-38651", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:34:42.863Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information"}], "id": "CVE-2026-38651", "lastModified": "2026-04-28T20:23:20.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-28T16:16:13.443", "references": [{"source": "cve@mitre.org", "url": "https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b"}, {"source": "cve@mitre.org", "url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass"}, {"source": "cve@mitre.org", "url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "netmaker", "vendor": "gravitl"}], "analysis": {"en": {"generated_at": "2026-04-29T02:17:21.706182+00:00", "value": {"mitigation_remediation": ["Upgrade Netmaker to version 1.5.0 or later, which includes proper JWT signature validation in VerifyHostToken.", "If an upgrade cannot be applied immediately, enforce strict firewall rules or IP filtering to block unauthorized token submissions and restrict API access only to trusted hosts.", "Audit existing deployments for any previously issued tokens signable with arbitrary keys and revoke or regenerate them to ensure only valid tokens are in use."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All Netmaker installations running versions prior to 1.5.0 are impacted. This includes both community and commercial distributions that rely on JWT tokens for host authentication in software\u2011defined networking and VPN environments.", "description_and_impact": "The vulnerability resides in the VerifyHostToken function of Netmaker\u2019s logic/jwts.go, where the JWT signature is not validated when verifying host tokens. An attacker can forge a token signed with any arbitrary key and use it to impersonate any host within the network, gaining access to sensitive information and potentially other services. This flaw aligns with CWE-347, involving the use of invalid signing keys, and the issue enables a direct authentication bypass for host identities.", "risk_and_exploitability": "The likely attack vector is network-based, as forged tokens can be inserted into API traffic between hosts. The data indicates no EPSS score and no inclusion in the CISA KEV catalog. A CVSS score of 8.2 reflects a medium\u2011high severity authentication bypass, threatening confidentiality and integrity across the network."}}}}, "created": "2026-04-28T17:30:10.423306+00:00", "updated": "2026-04-29T02:30:07.565564+00:00", "vendors": ["gravitl", "gravitl$PRODUCT$netmaker"]}