{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nebula-mesh--0.6.0--0.7.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nebula-mesh (\u003e= 0.6.0, \u003c= 0.7.1)"],"_cs_severities":["high"],"_cs_tags":["server-side-request-forgery","ssrf","privilege-escalation","authorization-bypass","web-application","nebula-mesh"],"_cs_type":"advisory","_cs_vendors":["ForgeKeep"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability (GHSA-7rx3-5wx3-5v76) in ForgeKeep's Nebula-mesh, affecting versions 0.6.0 through 0.7.1, allows non-admin operators to bypass server-side request forgery (SSRF) protection. Specifically, a user with the \u003ccode\u003euser\u003c/code\u003e role can enable \u003ccode\u003eallow_private: true\u003c/code\u003e when configuring webhook subscriptions (\u003ccode\u003ePOST\u003c/code\u003e/\u003ccode\u003ePATCH /api/v1/webhook-subscriptions\u003c/code\u003e), a field that lacks proper administrative access checks. This action forces the Nebula-mesh server's webhook dispatcher to use an unguarded HTTP client, circumventing internal network access controls and enabling connections to private, loopback, or link-local IP addresses. This flaw grants low-privileged attackers the ability to probe internal networks, interact blindly with internal services, and potentially exfiltrate sensitive data, such as cloud IAM credentials, escalating their privileges within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-admin operator (with \u003ccode\u003euser\u003c/code\u003e role) obtains a legitimate API key for the Nebula-mesh management interface.\u003c/li\u003e\n\u003cli\u003eThe operator sends an HTTP POST request to \u003ccode\u003e/api/v1/webhook-subscriptions\u003c/code\u003e, including \u003ccode\u003eallow_private: true\u003c/code\u003e in the JSON request body, along with a target internal or loopback URL (e.g., \u003ccode\u003ehttp://127.0.0.1:9999/internal-admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Nebula-mesh server processes this request and creates a webhook subscription, persisting the \u003ccode\u003eallow_private: true\u003c/code\u003e setting without performing an administrative role check.\u003c/li\u003e\n\u003cli\u003eThe operator triggers an event that corresponds to the webhook's subscription criteria (e.g., \u003ccode\u003ehost.enrolled\u003c/code\u003e, \u003ccode\u003ehost.blocked\u003c/code\u003e, \u003ccode\u003ehost.unblocked\u003c/code\u003e) for a resource they legitimately own.\u003c/li\u003e\n\u003cli\u003eUpon receiving the event, the Nebula-mesh server's webhook dispatcher prepares to send a notification. Due to \u003ccode\u003eallow_private: true\u003c/code\u003e, it selects an unguarded HTTP client, bypassing the standard SSRF protection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe Nebula-mesh server initiates an outbound HTTP POST request from its own network context to the internal or loopback URL specified by the operator.\u003c/li\u003e\n\u003cli\u003eThe operator can query the status of the created webhook subscription (\u003ccode\u003eGET /api/v1/webhook-subscriptions/{id}\u003c/code\u003e) to observe \u003ccode\u003elast_status\u003c/code\u003e and \u003ccode\u003elast_error\u003c/code\u003e fields, functioning as a reachability oracle for internal services.\u003c/li\u003e\n\u003cli\u003eThrough iterative probing and blind interaction, the attacker can map the internal network, identify vulnerable services, and potentially extract sensitive information like cloud metadata or access control credentials, leading to privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation grants a non-admin operator server-side request capabilities against internal-only or loopback addresses, completely circumventing the security boundaries enforced for administrators. This exposure enables malicious actors to perform extensive internal network reconnaissance, identify and interact with sensitive internal services that are not typically exposed, and potentially exfiltrate critical information such as cloud IAM credentials from metadata services (depending on the cloud provider's metadata service version, e.g., IMDSv1). The consequence is a significant privilege escalation from a low-privileged user account, allowing for broader unauthorized access and potential control over the Nebula-mesh deployment and its underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Nebula-mesh to a version greater than 0.7.1 (or the fix release for GHSA-7rx3-5wx3-5v76) immediately to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Nebula-mesh Server Outbound Connections to Internal/Loopback IPs (SSRF Attempt)\u003c/code\u003e to your SIEM to detect suspicious network connections originating from the Nebula-mesh server to private, loopback, or link-local IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict outbound connections from the Nebula-mesh server to only explicitly authorized and necessary internal services, limiting the impact of any potential SSRF.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:34:52Z","date_published":"2026-07-14T20:34:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-ssrf-bypass/","summary":"A vulnerability in Nebula-mesh allows non-admin operators with the 'user' role to bypass Server-Side Request Forgery (SSRF) protection by setting `allow_private: true` on webhook subscriptions, enabling the server to make requests to internal or loopback network addresses, which can lead to internal network probing, blind interaction with internal services, and potentially the exfiltration of cloud IAM credentials.","title":"Nebula-mesh Non-Admin SSRF Bypass via Webhook Configuration","url":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-ssrf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Nebula-Mesh (\u003e= 0.6.0, \u003c= 0.7.1)","version":"https://jsonfeed.org/version/1.1"}