VYPR
High severity8.2NVD Advisory· Published Apr 28, 2026· Updated May 18, 2026

CVE-2026-38651

CVE-2026-38651

Description

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gravitl/netmakerGo
< 1.5.01.5.0

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.

CVE-2026-38651 · High · VYPR