CVE-2026-47726: nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

June 8, 2026

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries (up to limit=1000). This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entries from rate-limit refusals — enough surface for a tenant to enumerate the server’s activity, infer staffing patterns, or identify high-value targets.

References

github.com/advisories/GHSA-qm33-p5p9-f8vg
github.com/forgekeep/nebula-mesh/commit/8baaace54c2a23e7c351b3efab5a31ab07b125dc
github.com/forgekeep/nebula-mesh/releases/tag/v0.3.2
github.com/juev/nebula-mesh/security/advisories/GHSA-qm33-p5p9-f8vg
nvd.nist.gov/vuln/detail/CVE-2026-47726

Code Behaviors & Features

Detect and mitigate CVE-2026-47726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →