Skip to content

nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

Moderate severity GitHub Reviewed Published May 21, 2026 in forgekeep/nebula-mesh • Updated Jun 10, 2026

Package

gomod github.com/juev/nebula-mesh (Go)

Affected versions

<= 0.3.1

Patched versions

0.3.2

Description

internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at:

/ui/operators/<id>?new_key=<raw-token>&key_name=<name>

The raw API key ends up:

  • in the browser's URL history
  • in the Referer header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in)
  • in any reverse-proxy or load-balancer access log on the path (nginx default combined log captures the query string)
  • in any structured log sink the operator's local browser-history backup tool ships out

Authorization: Bearer <token> headers go through the same hops without these problems because access logs typically don't capture request headers and the browser doesn't replay headers cross-origin.

Same handler also appends name (r.FormValue("name")) to the query string without url.QueryEscape, so an & in the operator-supplied key name corrupts query parsing and a \r\n in older proxies could split response headers.

Affected

All released versions up to v0.3.1.

Reproducer

As admin, create an API key via /ui/operators/<id>/api-keys (form POST). The 303 Location header carries the raw token in the query string. Open browser DevTools → Network → response headers; or check the reverse-proxy access log; or check the operator-detail page's Referer-emitting fetches.

Suggested fix

Stash the raw key in a one-shot server-side flash storage (e.g., a row in operator_sessions keyed by session token, with a one_shot_token column and consumed_at) or in a short-lived signed cookie. Render the key once inline on the detail page after the redirect, and clear the storage on render. Pattern mirrors the recovery-codes display in the TOTP flow.

If the flash-storage refactor is too invasive, the minimal fix is to render the key inline via a POST200 OK with HTML (no redirect), losing the post-redirect-get idiom but eliminating the URL exposure.

Also fix name query encoding with url.QueryEscape regardless of which fix shape lands.

CVSS estimate

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N — 5.5 (medium). AV:L because realistic exploit requires log-read access on shared infrastructure (proxy, CDN, browser-history backup) the operator's session touches.

References

@juev juev published to forgekeep/nebula-mesh May 21, 2026
Published to the GitHub Advisory Database Jun 10, 2026
Reviewed Jun 10, 2026
Last updated Jun 10, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(2nd percentile)

Weaknesses

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Learn more on MITRE.

Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file. Learn more on MITRE.

Use of GET Request Method With Sensitive Query Strings

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. Learn more on MITRE.

CVE ID

CVE-2026-47768

GHSA ID

GHSA-9pg3-25fq-p6cc

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.