← back
CVE-2026-38651

CVE-2026-38651

CVSS 8.2 HIGHEPSS 0.3%CWE-347
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Affected products
n/a · n/a
public PoCs found1
cve_referencewww.zyenra.com/advisories/netmaker-jwt-verification-bypass/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79bhttps://www.zyenra.com/advisories/netmaker-jwt-verification-bypasshttps://www.zyenra.com/advisories/netmaker-jwt-verification-bypass/https://www.zyenra.com/blog/netmaker-jwt-verification-bypass