GHSA-GHMH-JHMJ-WCMF: Plaintext Storage of Enrollment Tokens at Rest in SQLite in nebula-mesh
Vulnerability ID: GHSA-GHMH-JHMJ-WCMF
CVSS Score: 5.1
Published: 2026-06-22
The self-hosted Slack Nebula VPN control plane, nebula-mesh, stored high-privilege enrollment tokens in plaintext inside its SQLite database. This flaw allowed any adversary with read access to the database to retrieve pending tokens and enroll unauthorized hosts into the secure VPN mesh.
TL;DR
Plaintext enrollment tokens stored in SQLite allowed attackers with database read access to register unauthorized nodes on private VPN meshes.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-312, CWE-256
- Attack Vector: Local / Read-only Database Access
- CVSS v4.0 Score: 5.1 (Medium)
- Exploit Status: poc
- Impact: Unauthorized VPN Mesh Host Enrollment
- Remediation Status: Patched in v0.3.2
Affected Systems
- nebula-mesh (github.com/juev/nebula-mesh)
- nebula-mesh (github.com/forgekeep/nebula-mesh)
-
nebula-mesh: <= v0.3.0 (Fixed in:
v0.3.2)
Exploit Details
- GitHub Security Advisory: Advisory details for plaintext token vulnerability in SQLite store.
Mitigation Strategies
- Upgrade nebula-mesh to version v0.3.2 or newer to enforce SHA-256 token hashing.
- Apply restrictive filesystem permissions (chmod 0600) to nebula-mgmt.db to limit read access.
- Rotate and invalidate any outstanding or expired enrollment tokens.
Remediation Steps:
- Verify the running version of nebula-mesh and stop the control plane service.
- Backup the active SQLite database file (nebula-mgmt.db).
- Install the updated nebula-mesh binary (version v0.3.2 or newer).
- Run the database schema migrations to apply the 016_enrollment_token_hash.up.sql update.
- Identify hosts with pending enrollments and regenerate their enrollment tokens.
References
Read the full report for GHSA-GHMH-JHMJ-WCMF on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)