CVE-2026-47768: nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator’s browser at:

/ui/operators/?new_key=&key_name=

The raw API key ends up:

• in the browser’s URL history
• in the Referer header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in)
• in any reverse-proxy or load-balancer access log on the path (nginx default combined log captures the query string)
• in any structured log sink the operator’s local browser-history backup tool ships out

Authorization: Bearer <token> headers go through the same hops without these problems because access logs typically don’t capture request headers and the browser doesn’t replay headers cross-origin.

Same handler also appends name (r.FormValue("name")) to the query string without url.QueryEscape, so an & in the operator-supplied key name corrupts query parsing and a \r\n in older proxies could split response headers.