GHSA-ghmh-jhmj-wcmf: nebula-mesh's stores enrollment tokens unhashed in SQLite

June 22, 2026

internal/store/sqlite.go:1177,1192,1221,1245 — the enrollment_tokens.token column holds the raw UUID token. ConsumeToken does WHERE token = ? against the raw string. Compare with operator_api_keys.key_hash, which is SHA-256 hex (constructed in internal/api/middleware.go:51-53).

References

github.com/advisories/GHSA-ghmh-jhmj-wcmf
github.com/juev/nebula-mesh/security/advisories/GHSA-ghmh-jhmj-wcmf

Code Behaviors & Features

Detect and mitigate GHSA-ghmh-jhmj-wcmf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →