NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner
A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.
Advisories for Golang/Github.com/Netbirdio/Netbird package
2026
2025
NetBird VPN does not remove the default password of an admin account
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed. This issue has been fixed in version 0.57.0.
2024
NetBird uses a static initialization vector (IV)
A static initialization vector (IV) in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information (email addresses) when in possession of the audit events database.