CVE-2026-47725 is a high-severity improper privilege management vulnerability in github.com/juev/nebula-mesh (go), affecting versions <= 0.3.2. It is fixed in 0.3.3.
Every /ui/* POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect: top-level form-submit navigations from third-party pages (some browsers still send Lax cookies on top-level POSTs) same-registrable-domain attackers (sibling-subdomain XSS, subdomain takeover) the GET /ui/logout route, which a third-party <img src=".../ui/logout"> can force-trigger The admin UI signs CA certificates, mints API keys, rotates / retires / deletes CAs, disables operators, and changes server settings. CSRF here is a real privilege escalation, not just annoyance. Affected All released versions up to v0.3.2. Suggested fix Double-submit cookie: a 32-byte crypto/rand token in a non-HttpOnly csrf cookie, echoed in either X-CSRF-Token (htmx) or a csrf form field (HTML forms). Compared in constant time. Rotated on every privilege transition (Login, OIDC StartAuthenticatedSession, CompleteTwoFactor, Logout) so pre-auth fixation cannot survive promotion. Rejections audit-logged as ui.csrf.rejected with reason; response body stays opaque. /ui/logout becomes POST so it is no longer reachable via <img> tags. Fix coordinates with the Secure-cookie advisory disclosed concurrently, the _csrf cookie inherits the same Secure-attribute derivation. Reproducer With an authenticated operator session in browser tab A, open the following minimal HTML in any other tab: Click. The CA is deleted, the server processes the POST because the session cookie is automatically attached and there is no other check. The same trick works for force-rotate, retire, mint API keys, disable operators, etc. Alternative force-logout: <img src="https://nebula.example.com/ui/logout"> placed on an attacker's page logs out any visiting authenticated operator. No interaction required. Notes Multipart and JSON endpoints don't exist in the current UI surface. Future additions must rely on the header path because r.PostFormValue only reads application/x-www-form-urlencoded bodies. The middleware's package comment documents this. The patch assumes nebula-mgmt is the sole authority on its registrable domain. A compromised sibling subdomain can still set parent-domain cookies and forge matches; SameSite=Lax does not prevent that. Documented in the patch.
The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access. Typical impact: privilege escalation beyond the intended level.
go
github.com/juev/nebula-mesh (<= 0.3.2)github.com/juev/nebula-mesh → 0.3.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-47725 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-47725 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-47725 in your environment →Upgrade github.com/juev/nebula-mesh to 0.3.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-47725 is a high-severity improper privilege management vulnerability in github.com/juev/nebula-mesh (go), affecting versions <= 0.3.2. It is fixed in 0.3.3. The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access.
github.com/juev/nebula-mesh (go) versions <= 0.3.2 is affected.
Yes. CVE-2026-47725 is fixed in 0.3.3. Upgrade to this version or later.
Whether CVE-2026-47725 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/juev/nebula-mesh to 0.3.3 or later.