CVE-2026-47724
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
Description
The `/api/v1/*` route surface trusts the bearer token alone for authorisation on most endpoints. The codebase itself admits this at `internal/api/hosts.go:384`: *"API trusts the bearer token for authorisation; per-CA ownership is enforced only in the Web layer."* The Web UI gates state-changing routes through `loadAccessibleCA` (`internal/web/cas.go`); CA-management endpoints in `internal/api/cas.go` ALSO have proper `canAccessCA` gates. **The gap is on the host, network, firewall, mobile-bundle, and most operator endpoints.** Combined with the per-operator CA model from ADR 0002, this gives any non-admin operator API key broad cross-tenant access — instant privilege escalation in the worst case. ## Affected All released versions prior to v0.3.4. ## Exploit chain ### A) Mint admin API key from any operator key (instant privilege escalation) `internal/api/operators.go:118` — `handleCreateOperatorAPIKey` does no admin check and no actor/target-operator ownership check. Any operator key can call it for any operator (including admins) and receive a fresh bearer. ``` curl -X POST -H "Authorization: Bearer <low-priv-key>" \ https://server/api/v1/operators/<admin-id>/api-keys \ -H 'Content-Type: application/json' -d '{"name":"oops"}' # Returns: {"key":"<32-byte admin bearer>","entry":{...}} ``` Reuse the returned key for subsequent requests → full admin. ### B) Cross-operator host takeover via reenroll `internal/api/hosts.go:321,330` → `mintEnrollmentTokenForHost`. Looks up host by URL param, mints a single-use enrollment token, returns it. No ownership check. ``` curl -X POST -H "Authorization: Bearer <low-priv-key>" \ https://server/api/v1/hosts/<victim-host-id>/reenroll # Returns: {"enrollment_token":"<uuid>",...} ``` Caller POSTs `/api/v1/enroll` with their own X25519 + Ed25519 keypairs. `enroll.go:175` overwrites `signing_pub_pem`; `SaveCertificateAndEnrollHost` overwrites the cert. Legitimate agent's next signed poll fails `bad_signature`. Attacker now owns the victim's Nebula identity. ### C) Cross-tenant CRUD on hosts, networks, firewall The same gap applies across: - `/api/v1/hosts*` — create, list, get, update, delete, block, unblock - `/api/v1/networks*` — create, list, get - `/api/v1/networks/{id}/firewall` — get, PUT - `/api/v1/hosts/{id}/mobile-bundle` (already filed as public issue #119) All trust bearer-auth alone. Any operator can read or mutate any other operator's resources. ## Affected operator-management handlers (in addition to A) Beyond `handleCreateOperatorAPIKey` (covered by A), `internal/api/operators.go` is missing admin gates on: - `handleListOperators` (line 66) — operator roster info disclosure - `handleDisableOperator` (line 79) — DoS / sabotage - `handleEnableOperator` (line 94) — re-enable disabled operators - `handleRevokeOperatorAPIKey` (line 157) — invalidate any operator's API keys - `handleListOperatorAPIKeys` (line 173) — API-key metadata disclosure `handleCreateOperator` (line 26) IS properly gated (`actorIsAdmin` at line 27). ## NOT affected (verified) `internal/api/cas.go` properly gates every CA endpoint via `canAccessCA` (calls at lines 70, 176, 216) and admin shortcuts at lines 39, 82. An earlier description draft mistakenly listed `/api/v1/cas/{id}/rotate` as affected — that endpoint is properly protected. CAs are not in this gap. ## Impact - Any non-admin operator → admin via one curl (A). - Any non-admin operator → ownership of any victim's hosts with cert + identity transfer (B). - Mass cross-tenant CRUD including firewall-rule mutation (C). - Any operator → disable/enable other operators, revoke their API keys, enumerate the operator roster. CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.6. ## Suggested fix Shared helpers in a new `internal/api/authz.go`, mirroring the Web layer's `loadAccessibleCA`: ```go func (s *Server) requireAdmin(w http.ResponseWriter, r *http.Request) bool func (s *Server) requireOperatorAccess(w http.ResponseWriter, r *http.Request, operatorID string) bool func (s *Server) requireHostAccess(w http.ResponseWriter, r *http.Request, hostID string) (*models.Host, bool) func (s *Server) requireNetworkAccess(w http.ResponseWriter, r *http.Request, networkID string) (*models.Network, bool) ``` Each loads the resource, resolves its CA via `*.CAID`, accepts if `actorIsAdmin(ctx)` OR actor owns the CA. Reject `403 forbidden`; audit-log `api.<resource>.forbidden` with the reason. The operator-management endpoints take `requireAdmin` instead (operator ownership doesn't map to CA ownership). Apply at the top of every host-, network-, firewall-, mobile-bundle-touching API handler, plus the 5 operator endpoints listed above. The legacy config-key path retains admin (preserves backward compatibility); the broader legacy-fallback question is tracked separately as issue #121. ## Test matrix - admin → all operations permitted - owning non-admin → operations on owned hosts/networks permitted - non-owner non-admin → 403 + audit entry - legacy config-key → preserved (admin) - unauthenticated → existing 401 from middleware ## Coordinated context Subsumes public issue #119 (mobile-bundle authz). Issue #121 (actor.go:40 legacy-admin fallback) is a separate concern tracked independently.