CVE-2026-47722: nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml

June 8, 2026

internal/configgen/generator.go:86,108,119 interpolates the operator-supplied ListenHost and TunDevice fields raw into a text/template that produces the agent’s config.yml. internal/web/advanced.go:20-35 accepts both with only strings.TrimSpace — no character or shape validation.

References

github.com/advisories/GHSA-7hp6-g3pq-3pc3
github.com/forgekeep/nebula-mesh/commit/c1506f7344ab375a145a7449b193af3f19bb41ef
github.com/forgekeep/nebula-mesh/issues/126
github.com/juev/nebula-mesh/security/advisories/GHSA-7hp6-g3pq-3pc3
nvd.nist.gov/vuln/detail/CVE-2026-47722

Code Behaviors & Features

Detect and mitigate CVE-2026-47722 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →