<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Nebula-Mesh - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/nebula-mesh/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:37:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/nebula-mesh/feed.xml" rel="self" type="application/rss+xml"/><item><title>Nebula-Mesh Stores Operator Session Tokens in Plaintext, Enabling Session Hijacking (CVE-2026-53603)</title><link>https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-plaintext-tokens/</link><pubDate>Tue, 14 Jul 2026 20:37:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-plaintext-tokens/</guid><description>Operator session tokens in ForgeKeep's nebula-mesh application are stored in plaintext within the database, allowing an attacker who gains read access to the database to retrieve active session tokens and hijack operator sessions, bypassing further authentication.</description><content:encoded><![CDATA[<p>ForgeKeep's nebula-mesh, an application for managing mesh networks, contains a critical vulnerability, CVE-2026-53603, affecting versions up to and including 0.3.7. This flaw stems from the insecure storage of operator session tokens, which are saved in plaintext format within the <code>operator_sessions</code> table of the underlying database. Unlike API keys and enrollment tokens, which are properly hashed, these 32-byte random hex values are directly readable. An attacker who manages to gain read access to the database - through methods such as database backups, snapshots, file copies, or SQL-level disclosure - can easily extract these active session tokens. Once obtained, these tokens can be used to hijack operator sessions, granting unauthorized access to the nebula-mesh management interface without requiring additional authentication. This poses a significant risk as it allows attackers to control the mesh environment and perform malicious operations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains unauthorized read access to the nebula-mesh application's underlying database through a separate vulnerability (e.g., SQL injection, file system compromise, or weak database credentials).</li>
<li>Attacker queries the <code>operator_sessions</code> table within the compromised database.</li>
<li>Attacker extracts plaintext 32-byte hex session tokens from the <code>token</code> column, specifically from <code>internal/models/operator.go:61</code>.</li>
<li>Attacker uses a stolen session token to forge a cookie, which is then sent to the nebula-mesh operator interface.</li>
<li>The nebula-mesh application authenticates the attacker based on the valid, stolen session token.</li>
<li>Attacker successfully hijacks the operator's session, gaining unauthorized access to the nebula-mesh management interface with the privileges of the compromised operator.</li>
<li>Attacker performs unauthorized actions, such as modifying network configurations, deploying malicious updates, or exfiltrating sensitive data from the mesh environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-53603 leads to a complete compromise of the nebula-mesh operator's session. This allows an attacker to gain full control over the affected nebula-mesh environment, bypassing all authentication mechanisms once database read access is achieved. Consequences include unauthorized configuration changes, deployment of malicious code, data exfiltration, or disruption of network operations. Since session tokens are valid for 24 hours, an attacker could maintain unauthorized access for an extended period, potentially leading to persistent control over critical infrastructure. Any organization using affected versions of nebula-mesh faces a high risk of remote code execution, denial of service, or unauthorized data access if their database is compromised.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply the patch for CVE-2026-53603 by updating to a version of <code>go/github.com/forgekeep/nebula-mesh</code> greater than <code>0.3.7</code>.</li>
<li>Restrict and encrypt all database backups and snapshots to prevent unauthorized access to the database where <code>operator_sessions</code> are stored.</li>
<li>Rotate the nebula-mesh operator database credentials and invalidate existing operator sessions after patching to ensure all plaintext tokens are no longer valid.</li>
<li>Implement strong access controls and logging for the database instance hosting the nebula-mesh data, monitoring for unusual query patterns or unauthorized access attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>session-hijacking</category><category>database</category><category>plaintext</category><category>credential-exposure</category><category>nebula-mesh</category></item><item><title>Nebula-mesh Non-Admin SSRF Bypass via Webhook Configuration</title><link>https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-ssrf-bypass/</link><pubDate>Tue, 14 Jul 2026 20:34:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-ssrf-bypass/</guid><description>A vulnerability in Nebula-mesh allows non-admin operators with the 'user' role to bypass Server-Side Request Forgery (SSRF) protection by setting `allow_private: true` on webhook subscriptions, enabling the server to make requests to internal or loopback network addresses, which can lead to internal network probing, blind interaction with internal services, and potentially the exfiltration of cloud IAM credentials.</description><content:encoded><![CDATA[<p>A critical authorization bypass vulnerability (GHSA-7rx3-5wx3-5v76) in ForgeKeep's Nebula-mesh, affecting versions 0.6.0 through 0.7.1, allows non-admin operators to bypass server-side request forgery (SSRF) protection. Specifically, a user with the <code>user</code> role can enable <code>allow_private: true</code> when configuring webhook subscriptions (<code>POST</code>/<code>PATCH /api/v1/webhook-subscriptions</code>), a field that lacks proper administrative access checks. This action forces the Nebula-mesh server's webhook dispatcher to use an unguarded HTTP client, circumventing internal network access controls and enabling connections to private, loopback, or link-local IP addresses. This flaw grants low-privileged attackers the ability to probe internal networks, interact blindly with internal services, and potentially exfiltrate sensitive data, such as cloud IAM credentials, escalating their privileges within the environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A non-admin operator (with <code>user</code> role) obtains a legitimate API key for the Nebula-mesh management interface.</li>
<li>The operator sends an HTTP POST request to <code>/api/v1/webhook-subscriptions</code>, including <code>allow_private: true</code> in the JSON request body, along with a target internal or loopback URL (e.g., <code>http://127.0.0.1:9999/internal-admin</code>).</li>
<li>The Nebula-mesh server processes this request and creates a webhook subscription, persisting the <code>allow_private: true</code> setting without performing an administrative role check.</li>
<li>The operator triggers an event that corresponds to the webhook's subscription criteria (e.g., <code>host.enrolled</code>, <code>host.blocked</code>, <code>host.unblocked</code>) for a resource they legitimately own.</li>
<li>Upon receiving the event, the Nebula-mesh server's webhook dispatcher prepares to send a notification. Due to <code>allow_private: true</code>, it selects an unguarded HTTP client, bypassing the standard SSRF protection mechanisms.</li>
<li>The Nebula-mesh server initiates an outbound HTTP POST request from its own network context to the internal or loopback URL specified by the operator.</li>
<li>The operator can query the status of the created webhook subscription (<code>GET /api/v1/webhook-subscriptions/{id}</code>) to observe <code>last_status</code> and <code>last_error</code> fields, functioning as a reachability oracle for internal services.</li>
<li>Through iterative probing and blind interaction, the attacker can map the internal network, identify vulnerable services, and potentially extract sensitive information like cloud metadata or access control credentials, leading to privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation grants a non-admin operator server-side request capabilities against internal-only or loopback addresses, completely circumventing the security boundaries enforced for administrators. This exposure enables malicious actors to perform extensive internal network reconnaissance, identify and interact with sensitive internal services that are not typically exposed, and potentially exfiltrate critical information such as cloud IAM credentials from metadata services (depending on the cloud provider's metadata service version, e.g., IMDSv1). The consequence is a significant privilege escalation from a low-privileged user account, allowing for broader unauthorized access and potential control over the Nebula-mesh deployment and its underlying infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Nebula-mesh to a version greater than 0.7.1 (or the fix release for GHSA-7rx3-5wx3-5v76) immediately to remediate the vulnerability.</li>
<li>Deploy the Sigma rule <code>Detect Nebula-mesh Server Outbound Connections to Internal/Loopback IPs (SSRF Attempt)</code> to your SIEM to detect suspicious network connections originating from the Nebula-mesh server to private, loopback, or link-local IP addresses.</li>
<li>Implement network segmentation to restrict outbound connections from the Nebula-mesh server to only explicitly authorized and necessary internal services, limiting the impact of any potential SSRF.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>server-side-request-forgery</category><category>ssrf</category><category>privilege-escalation</category><category>authorization-bypass</category><category>web-application</category><category>nebula-mesh</category></item></channel></rss>