CVE-2026-47723: nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)

June 8, 2026

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase.

References

github.com/advisories/GHSA-w7w5-5gcp-38rw
github.com/forgekeep/nebula-mesh/commit/b45fda5476c41ffcff1ca23058aef0fb851359c1
github.com/forgekeep/nebula-mesh/releases/tag/v0.3.1
github.com/juev/nebula-mesh/security/advisories/GHSA-w7w5-5gcp-38rw
nvd.nist.gov/vuln/detail/CVE-2026-47723

Code Behaviors & Features

Detect and mitigate CVE-2026-47723 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →