pkg:Go/github.com/forgekeep/nebula-mesh
7 total CVEsHIGH1MEDIUM2
✅ Check your installed version
All known vulnerabilities
HIGH8.1CVE-2026-61699nebula-mesh: Certificate revocation is never enforced at the mesh from 0, < 0.7.1
MEDIUM5.4CVE-2026-55513nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens >= 0.3.0, < 0.5.0
MEDIUM5.3CVE-2026-55512nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting >= 0.2.0, < 0.5.0
—nebula-mesh: Operator session tokens stored in plaintext in the database
from 0, < 0.3.8
—nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
from 0, < 0.3.8
—nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate
from 0, < 0.3.7
—nebula-mesh: Decrypted CA private key persists in heap after signing in github.com/forgekeep/nebula-mesh
from 0, < 0.3.7
—nebula-mesh: Decrypted CA private key persists in heap after signing in github.com/forgekeep/nebula-mesh
from 0, < 0.3.7