Netmaker IDOR Vulnerability Allows User to Update Other User's Password
Description
Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run docker pull gravitl/netmaker:v0.17.1 and docker-compose up -d. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gravitl/netmakerGo | < 0.17.1 | 0.17.1 |
github.com/gravitl/netmakerGo | >= 0.18.0, < 0.18.6 | 0.18.6 |
Affected products
1Patches
1b3be57c65bf0Merge pull request #2158 from gravitl/GRA-1479-user-updates
2 files changed · +29 −0
controllers/user.go+16 −0 modified@@ -331,7 +331,18 @@ func updateUser(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") var params = mux.Vars(r) // start here + jwtUser, _, isadmin, err := logic.VerifyJWT(r.Header.Get("Authorization")) + if err != nil { + logger.Log(0, "verifyJWT error", err.Error()) + logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) + return + } username := params["username"] + if username != jwtUser && !isadmin { + logger.Log(0, "non-admin user", jwtUser, "attempted to update user", username) + logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not authorizied"), "unauthorized")) + return + } user, err := logic.GetUser(username) if err != nil { logger.Log(0, username, @@ -354,6 +365,11 @@ func updateUser(w http.ResponseWriter, r *http.Request) { logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest")) return } + if userchange.IsAdmin && !isadmin { + logger.Log(0, "non-admin user", jwtUser, "attempted get admin privilages") + logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not authorizied"), "unauthorized")) + return + } userchange.Networks = nil user, err = logic.UpdateUser(&userchange, user) if err != nil {
logic/jwts.go+13 −0 modified@@ -3,6 +3,7 @@ package logic import ( "errors" "fmt" + "strings" "time" "github.com/golang-jwt/jwt/v4" @@ -101,6 +102,18 @@ func CreateUserJWT(username string, networks []string, isadmin bool) (response s return "", err } +// VerifyJWT verifies Auth Header +func VerifyJWT(bearerToken string) (username string, networks []string, isadmin bool, err error) { + token := "" + tokenSplit := strings.Split(bearerToken, " ") + if len(tokenSplit) > 1 { + token = tokenSplit[1] + } else { + return "", nil, false, errors.New("invalid auth header") + } + return VerifyUserToken(token) +} + // VerifyUserToken func will used to Verify the JWT Token while using APIS func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) { claims := &models.UserClaims{}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-256m-j5qw-38f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32078ghsaADVISORY
- github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839ghsax_refsource_MISCWEB
- github.com/gravitl/netmaker/pull/2158ghsax_refsource_MISCWEB
- github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.