Security: forgekeep/nebula-mesh
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`GHSA-7rx3-5wx3-5v76 published
Jul 1, 2026 by juevHigh -
Certificate revocation is never enforced at the mesh: nebula-agent drops the polled blocklist and the generated config.yml has no pki.blocklist, so blocked/compromised hosts keep full mesh access until their cert expires (up to 30d agent / 365d mobile)GHSA-cm26-5974-52h8 published
Jun 23, 2026 by juevHigh -
Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokensGHSA-g4x6-jcvr-9m3g published
Jun 13, 2026 by juevModerate -
Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limitingGHSA-m3cx-mwpg-32jg published
Jun 13, 2026 by juevModerate -
Operator session tokens stored in plaintext in the databaseGHSA-q4vm-pq3q-8wgq published
Jun 4, 2026 by juevHigh -
CA private key not zeroized on web mobile-bundle error pathsGHSA-2p2f-px33-4vv5 published
Jun 4, 2026 by juevHigh -
Host revocation is not durable: blocked/offboarded hosts can regain a valid certificateGHSA-339v-266x-79xr published
Jun 2, 2026 by juevModerate -
Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)GHSA-c6v2-3ffm-vcmc published
May 25, 2026 by juevHigh -
Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)GHSA-9pg3-25fq-p6cc published
May 21, 2026 by juevModerate -
POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-storeGHSA-6vgg-xhvh-38ff published
May 21, 2026 by juevLow