CVE-2026-48058: nebula-mesh: Session and OIDC state cookies lack the Secure attribute

June 10, 2026

internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the session.

References

github.com/advisories/GHSA-rqfj-vv8r-xhqc
github.com/forgekeep/nebula-mesh/commit/ffdd67dbf221d9a5855c39fbe11b49c245048d85
github.com/juev/nebula-mesh/security/advisories/GHSA-rqfj-vv8r-xhqc
nvd.nist.gov/vuln/detail/CVE-2026-48058

Code Behaviors & Features

Detect and mitigate CVE-2026-48058 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →