{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/forgekeep/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nebula-mesh (\u003c= 0.3.7)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","session-hijacking","database","plaintext","credential-exposure","nebula-mesh"],"_cs_type":"advisory","_cs_vendors":["ForgeKeep"],"content_html":"\u003cp\u003eForgeKeep's nebula-mesh, an application for managing mesh networks, contains a critical vulnerability, CVE-2026-53603, affecting versions up to and including 0.3.7. This flaw stems from the insecure storage of operator session tokens, which are saved in plaintext format within the \u003ccode\u003eoperator_sessions\u003c/code\u003e table of the underlying database. Unlike API keys and enrollment tokens, which are properly hashed, these 32-byte random hex values are directly readable. An attacker who manages to gain read access to the database - through methods such as database backups, snapshots, file copies, or SQL-level disclosure - can easily extract these active session tokens. Once obtained, these tokens can be used to hijack operator sessions, granting unauthorized access to the nebula-mesh management interface without requiring additional authentication. This poses a significant risk as it allows attackers to control the mesh environment and perform malicious operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized read access to the nebula-mesh application's underlying database through a separate vulnerability (e.g., SQL injection, file system compromise, or weak database credentials).\u003c/li\u003e\n\u003cli\u003eAttacker queries the \u003ccode\u003eoperator_sessions\u003c/code\u003e table within the compromised database.\u003c/li\u003e\n\u003cli\u003eAttacker extracts plaintext 32-byte hex session tokens from the \u003ccode\u003etoken\u003c/code\u003e column, specifically from \u003ccode\u003einternal/models/operator.go:61\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker uses a stolen session token to forge a cookie, which is then sent to the nebula-mesh operator interface.\u003c/li\u003e\n\u003cli\u003eThe nebula-mesh application authenticates the attacker based on the valid, stolen session token.\u003c/li\u003e\n\u003cli\u003eAttacker successfully hijacks the operator's session, gaining unauthorized access to the nebula-mesh management interface with the privileges of the compromised operator.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, such as modifying network configurations, deploying malicious updates, or exfiltrating sensitive data from the mesh environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-53603 leads to a complete compromise of the nebula-mesh operator's session. This allows an attacker to gain full control over the affected nebula-mesh environment, bypassing all authentication mechanisms once database read access is achieved. Consequences include unauthorized configuration changes, deployment of malicious code, data exfiltration, or disruption of network operations. Since session tokens are valid for 24 hours, an attacker could maintain unauthorized access for an extended period, potentially leading to persistent control over critical infrastructure. Any organization using affected versions of nebula-mesh faces a high risk of remote code execution, denial of service, or unauthorized data access if their database is compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the patch for CVE-2026-53603 by updating to a version of \u003ccode\u003ego/github.com/forgekeep/nebula-mesh\u003c/code\u003e greater than \u003ccode\u003e0.3.7\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict and encrypt all database backups and snapshots to prevent unauthorized access to the database where \u003ccode\u003eoperator_sessions\u003c/code\u003e are stored.\u003c/li\u003e\n\u003cli\u003eRotate the nebula-mesh operator database credentials and invalidate existing operator sessions after patching to ensure all plaintext tokens are no longer valid.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and logging for the database instance hosting the nebula-mesh data, monitoring for unusual query patterns or unauthorized access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:37:22Z","date_published":"2026-07-14T20:37:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-plaintext-tokens/","summary":"Operator session tokens in ForgeKeep's nebula-mesh application are stored in plaintext within the database, allowing an attacker who gains read access to the database to retrieve active session tokens and hijack operator sessions, bypassing further authentication.","title":"Nebula-Mesh Stores Operator Session Tokens in Plaintext, Enabling Session Hijacking (CVE-2026-53603)","url":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-plaintext-tokens/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nebula-mesh (\u003c 0.7.1)"],"_cs_severities":["high"],"_cs_tags":["certificate-revocation","network-overlay","defense-evasion","persistence","network"],"_cs_type":"advisory","_cs_vendors":["ForgeKeep"],"content_html":"\u003cp\u003eA significant security flaw, tracked as CVE-2026-61699, has been identified in ForgeKeep's nebula-mesh, affecting versions prior to 0.7.1. This vulnerability prevents the enforcement of certificate revocation, allowing compromised or offboarded hosts to retain full access to the Nebula mesh network. Despite the Nebula server correctly adding a host's certificate fingerprint to a per-CA blocklist and attempting to distribute this information, the agent fails to process or apply these updates. Furthermore, the configuration generator does not include the \u003ccode\u003epki.blocklist\u003c/code\u003e entry in the agent's \u003ccode\u003econfig.yml\u003c/code\u003e. This creates a critical security blind spot, as an attacker who has exfiltrated a host's key and certificate can bypass administrative revocation actions and maintain unauthorized persistence on the network for the remaining lifetime of the certificate, which can be up to 365 days for mobile hosts or 30 days for agent hosts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An attacker successfully compromises a host within a Nebula mesh environment, gaining initial access through unrelated means (e.g., exploitation of another vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exfiltration\u003c/strong\u003e: The attacker locates and exfiltrates the compromised host's Nebula client certificate (\u003ccode\u003ehost.crt\u003c/code\u003e) and private key (\u003ccode\u003ehost.key\u003c/code\u003e) files, which are used for authentication to the mesh.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOperator Revocation Attempt\u003c/strong\u003e: Upon detecting the compromise or as part of a routine offboarding process, the network operator initiates a revocation action for the compromised host via the Nebula administrative UI or API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer-Side Blocklist Update\u003c/strong\u003e: The Nebula server correctly processes the revocation, adds the compromised host's certificate fingerprint to its internal per-CA blocklist, and flags other agents for updates.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Update Failure\u003c/strong\u003e: Neighboring Nebula agents poll the server and receive the \u003ccode\u003eblocklist\u003c/code\u003e information within the \u003ccode\u003eUpdatesResponse\u003c/code\u003e, but due to a flaw in \u003ccode\u003einternal/agent/poller.go\u003c/code\u003e, they decode and then discard this blocklist without applying it to their local configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Generation Flaw\u003c/strong\u003e: Even if a configuration re-render is triggered, the \u003ccode\u003econfiggen\u003c/code\u003e component in \u003ccode\u003einternal/configgen/marshal.go\u003c/code\u003e and \u003ccode\u003einternal/configgen/generator.go\u003c/code\u003e lacks the necessary fields to include the \u003ccode\u003epki.blocklist\u003c/code\u003e entry in the generated \u003ccode\u003econfig.yml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Maintained\u003c/strong\u003e: The attacker, using the previously exfiltrated \u003ccode\u003ehost.key\u003c/code\u003e and \u003ccode\u003ehost.crt\u003c/code\u003e, continues to operate the compromised host (or a clone) within the Nebula mesh, establishing connections and maintaining full overlay network reachability to all peers, completely bypassing the intended revocation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProlonged Unauthorized Access\u003c/strong\u003e: The attacker retains unauthorized access for the full duration of the host's certificate validity (up to 30 days for agents and 365 days for mobile hosts), as the mesh peers continue to validate and accept the \u0026quot;revoked\u0026quot; certificate.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe failure to enforce certificate revocation in ForgeKeep's nebula-mesh allows an already compromised host to maintain unauthorized network access and persistence despite administrative actions to block it. This means that a host, once deemed untrustworthy and revoked by an operator, can continue to communicate within the overlay network for an extended period - up to 30 days for agent hosts and 365 days for mobile hosts. An attacker who has exfiltrated the necessary certificate and key material can leverage this flaw to sustain command and control, exfiltrate data, or launch further attacks from a seemingly blocked endpoint. The operational impact is a false sense of security, as the UI/API may show a host as blocked while it retains full mesh connectivity, making it a critical bypass for defense evasion and persistence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade immediately\u003c/strong\u003e: Patch affected ForgeKeep nebula-mesh installations to version 0.7.1 or later to address CVE-2026-61699.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor post-revocation activity\u003c/strong\u003e: Implement out-of-band monitoring for any network activity originating from hosts that have been administratively revoked, as they may still be active on the Nebula mesh due to CVE-2026-61699.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Nebula deployment\u003c/strong\u003e: Assess the integrity of all Nebula agents to ensure they are correctly updated and capable of processing and applying certificate blocklists.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement supplementary controls\u003c/strong\u003e: Apply additional network access controls (e.g., host-based firewalls, network segmentation) for critical services within the Nebula mesh to provide layered defense against unrevoked compromised nodes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:36:00Z","date_published":"2026-07-14T20:36:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-cert-revocation-bypass/","summary":"A high-severity vulnerability, CVE-2026-61699, in ForgeKeep's nebula-mesh allows compromised or offboarded hosts to bypass certificate revocation, enabling attackers to maintain full mesh network access for up to 365 days despite operator actions.","title":"ForgeKeep Nebula-Mesh Certificate Revocation Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-cert-revocation-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nebula-mesh (\u003e= 0.6.0, \u003c= 0.7.1)"],"_cs_severities":["high"],"_cs_tags":["server-side-request-forgery","ssrf","privilege-escalation","authorization-bypass","web-application","nebula-mesh"],"_cs_type":"advisory","_cs_vendors":["ForgeKeep"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability (GHSA-7rx3-5wx3-5v76) in ForgeKeep's Nebula-mesh, affecting versions 0.6.0 through 0.7.1, allows non-admin operators to bypass server-side request forgery (SSRF) protection. Specifically, a user with the \u003ccode\u003euser\u003c/code\u003e role can enable \u003ccode\u003eallow_private: true\u003c/code\u003e when configuring webhook subscriptions (\u003ccode\u003ePOST\u003c/code\u003e/\u003ccode\u003ePATCH /api/v1/webhook-subscriptions\u003c/code\u003e), a field that lacks proper administrative access checks. This action forces the Nebula-mesh server's webhook dispatcher to use an unguarded HTTP client, circumventing internal network access controls and enabling connections to private, loopback, or link-local IP addresses. This flaw grants low-privileged attackers the ability to probe internal networks, interact blindly with internal services, and potentially exfiltrate sensitive data, such as cloud IAM credentials, escalating their privileges within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-admin operator (with \u003ccode\u003euser\u003c/code\u003e role) obtains a legitimate API key for the Nebula-mesh management interface.\u003c/li\u003e\n\u003cli\u003eThe operator sends an HTTP POST request to \u003ccode\u003e/api/v1/webhook-subscriptions\u003c/code\u003e, including \u003ccode\u003eallow_private: true\u003c/code\u003e in the JSON request body, along with a target internal or loopback URL (e.g., \u003ccode\u003ehttp://127.0.0.1:9999/internal-admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Nebula-mesh server processes this request and creates a webhook subscription, persisting the \u003ccode\u003eallow_private: true\u003c/code\u003e setting without performing an administrative role check.\u003c/li\u003e\n\u003cli\u003eThe operator triggers an event that corresponds to the webhook's subscription criteria (e.g., \u003ccode\u003ehost.enrolled\u003c/code\u003e, \u003ccode\u003ehost.blocked\u003c/code\u003e, \u003ccode\u003ehost.unblocked\u003c/code\u003e) for a resource they legitimately own.\u003c/li\u003e\n\u003cli\u003eUpon receiving the event, the Nebula-mesh server's webhook dispatcher prepares to send a notification. Due to \u003ccode\u003eallow_private: true\u003c/code\u003e, it selects an unguarded HTTP client, bypassing the standard SSRF protection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe Nebula-mesh server initiates an outbound HTTP POST request from its own network context to the internal or loopback URL specified by the operator.\u003c/li\u003e\n\u003cli\u003eThe operator can query the status of the created webhook subscription (\u003ccode\u003eGET /api/v1/webhook-subscriptions/{id}\u003c/code\u003e) to observe \u003ccode\u003elast_status\u003c/code\u003e and \u003ccode\u003elast_error\u003c/code\u003e fields, functioning as a reachability oracle for internal services.\u003c/li\u003e\n\u003cli\u003eThrough iterative probing and blind interaction, the attacker can map the internal network, identify vulnerable services, and potentially extract sensitive information like cloud metadata or access control credentials, leading to privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation grants a non-admin operator server-side request capabilities against internal-only or loopback addresses, completely circumventing the security boundaries enforced for administrators. This exposure enables malicious actors to perform extensive internal network reconnaissance, identify and interact with sensitive internal services that are not typically exposed, and potentially exfiltrate critical information such as cloud IAM credentials from metadata services (depending on the cloud provider's metadata service version, e.g., IMDSv1). The consequence is a significant privilege escalation from a low-privileged user account, allowing for broader unauthorized access and potential control over the Nebula-mesh deployment and its underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Nebula-mesh to a version greater than 0.7.1 (or the fix release for GHSA-7rx3-5wx3-5v76) immediately to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Nebula-mesh Server Outbound Connections to Internal/Loopback IPs (SSRF Attempt)\u003c/code\u003e to your SIEM to detect suspicious network connections originating from the Nebula-mesh server to private, loopback, or link-local IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict outbound connections from the Nebula-mesh server to only explicitly authorized and necessary internal services, limiting the impact of any potential SSRF.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:34:52Z","date_published":"2026-07-14T20:34:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-ssrf-bypass/","summary":"A vulnerability in Nebula-mesh allows non-admin operators with the 'user' role to bypass Server-Side Request Forgery (SSRF) protection by setting `allow_private: true` on webhook subscriptions, enabling the server to make requests to internal or loopback network addresses, which can lead to internal network probing, blind interaction with internal services, and potentially the exfiltration of cloud IAM credentials.","title":"Nebula-mesh Non-Admin SSRF Bypass via Webhook Configuration","url":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-ssrf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - ForgeKeep","version":"https://jsonfeed.org/version/1.1"}