High severity8.2NVD Advisory· Published Apr 28, 2026· Updated May 18, 2026
CVE-2026-38651
CVE-2026-38651
Description
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gravitl/netmakerGo | < 1.5.0 | 1.5.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79bnvdPatchWEB
- www.zyenra.com/advisories/netmaker-jwt-verification-bypassnvdExploitThird Party AdvisoryWEB
- www.zyenra.com/advisories/netmaker-jwt-verification-bypass/nvdExploitThird Party Advisory
- www.zyenra.com/blog/netmaker-jwt-verification-bypassnvdExploitThird Party Advisory
- github.com/advisories/GHSA-qpv2-rwc8-c993ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-38651ghsaADVISORY
News mentions
0No linked articles in our index yet.