Netmaker has Hardcoded DNS Secret Key
Description
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run docker pull gravitl/netmaker:v0.17.1 and docker-compose up -d. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gravitl/netmakerGo | < 0.17.1 | 0.17.1 |
github.com/gravitl/netmakerGo | >= 0.18.0, < 0.18.6 | 0.18.6 |
Affected products
1Patches
29362c39a9a82Merge pull request #2170 from gravitl/GRA-1493/dns-key
2 files changed · +2 −2
logic/security.go+1 −1 modified@@ -187,7 +187,7 @@ func authenticateDNSToken(tokenString string) bool { if len(tokens) < 2 { return false } - return tokens[1] == servercfg.GetDNSKey() + return len(servercfg.GetDNSKey()) > 0 && tokens[1] == servercfg.GetDNSKey() } func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
servercfg/serverconf.go+1 −1 modified@@ -277,7 +277,7 @@ func GetMasterKey() string { // GetDNSKey - gets the configured dns key of server func GetDNSKey() string { - key := "secretkey" + key := "" if os.Getenv("DNS_KEY") != "" { key = os.Getenv("DNS_KEY") } else if config.Config.Server.DNSKey != "" {
2 files changed · +2 −2
logic/security.go+1 −1 modified@@ -187,7 +187,7 @@ func authenticateDNSToken(tokenString string) bool { if len(tokens) < 2 { return false } - return tokens[1] == servercfg.GetDNSKey() + return len(servercfg.GetDNSKey()) > 0 && tokens[1] == servercfg.GetDNSKey() } func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
servercfg/serverconf.go+1 −1 modified@@ -277,7 +277,7 @@ func GetMasterKey() string { // GetDNSKey - gets the configured dns key of server func GetDNSKey() string { - key := "secretkey" + key := "" if os.Getenv("DNS_KEY") != "" { key = os.Getenv("DNS_KEY") } else if config.Config.Server.DNSKey != "" {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8x8h-hcq8-jwwxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32077ghsaADVISORY
- github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51ghsax_refsource_MISCWEB
- github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657ghsax_refsource_MISCWEB
- github.com/gravitl/netmaker/pull/2170ghsax_refsource_MISCWEB
- github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.