CVE-2026-29195
MEDIUM WAF: Low
CVSS 6.5
Published: 2026-03-07
CWE-863
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the super-admin role. This issue has been patched in version 1.5.0.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gravitl | netmaker | up to 1.5.0 |
References
- github.com (Product, Release Notes)
- github.com (Vendor Advisory)