CVE-2026-29196: CVE-2026-29196: WireGuard Private Key Exposure via API in Netmaker

#security #cve #cybersecurity

CVE-2026-29196: WireGuard Private Key Exposure via API in Netmaker

Vulnerability ID: CVE-2026-29196
CVSS Score: 8.7
Published: 2026-03-09

Netmaker versions prior to 1.5.0 suffer from a critical excessive data exposure vulnerability (CWE-863). Authenticated users assigned the platform-user role can retrieve the cleartext WireGuard private keys for all nodes and external clients within a network via the REST API. This structural authorization failure allows an attacker to completely compromise network confidentiality by decrypting traffic and impersonating legitimate nodes.

TL;DR

An authorization and data sanitization failure in Netmaker's REST API allows low-privileged authenticated users to extract the plaintext WireGuard private keys of all network endpoints.

Technical Details

CWE ID: CWE-863 (Incorrect Authorization)
Attack Vector: Network
CVSS Score: 8.7 (High)
EPSS Score: 0.00041
Impact: Cryptographic Key Exposure / Full Network Decryption
Exploit Status: None Publicly Disclosed
KEV Status: Not Listed

Affected Systems

Netmaker Management Server
Netmaker API endpoints (/api/nodes/, /api/extclients/)
Netmaker: < 1.5.0 (Fixed in: 1.5.0)

Mitigation Strategies

Upgrade Netmaker to version 1.5.0 immediately.
Rotate all WireGuard private keys for all nodes and external clients if exploitation is suspected.
Restrict API access using a WAF or reverse proxy if immediate patching is not feasible.
Audit existing Netmaker accounts and remove unnecessary platform-user role assignments.

Remediation Steps:

Backup the current Netmaker database and configuration.
Deploy the Netmaker 1.5.0 release via the official Docker images or binaries.
Verify the application version in the UI dashboard.
Using an administrative account, issue a command to rotate the cryptographic material for the network.
Ensure all managed nodes successfully sync the new configuration.