GHSA-6vgg-xhvh-38ff: nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store

June 12, 2026

internal/api/mobile_bundle.go:62-66 sets only Content-Type: application/yaml. The Web-UI sibling at internal/web/handlers.go:1316-1321 sets Cache-Control: no-store, Pragma: no-cache, Expires: 0, X-Content-Type-Options: nosniff — and has a test asserting it. The API path was missed.

References

github.com/advisories/GHSA-6vgg-xhvh-38ff
github.com/forgekeep/nebula-mesh/commit/c13d5b2c013b4b323bc0c87a6ecc6afba6384ee5
github.com/juev/nebula-mesh/security/advisories/GHSA-6vgg-xhvh-38ff

Code Behaviors & Features

Detect and mitigate GHSA-6vgg-xhvh-38ff with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →