nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation

union DeviceNetworkEvents, DeviceProcessEvents, AuditLogs
| where TimeGenerated > ago(7d)
| where (
    (ActionType in ("HttpRequest", "ApiCall") and
     RequestUri matches regex @"/api/v[0-9]+/(nodes|networks|tunnels|hosts|peers)/[^/]+" and
     HttpMethod in ("PUT", "PATCH", "DELETE", "GET") and
     ResultDescription has_any ("200", "201", "204"))
    or
    (ProcessCommandLine has "nebula-mesh" and ProcessCommandLine has_any ("--api", "--token", "--operator"))
)
| extend ParsedUri = extract(@"/api/v[0-9]+/([^/]+)/([^/?]+)", 0, RequestUri)
| summarize
    RequestCount = count(),
    DistinctResources = dcount(ParsedUri),
    DistinctMethods = make_set(HttpMethod),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by AccountName, AccountObjectId, InitiatingProcessAccountName, SourceIp = RemoteIP, bin(TimeGenerated, 10m)
| where DistinctResources > 5
| extend RiskScore = case(
    DistinctResources > 20, "High",
    DistinctResources > 10, "Medium",
    "Low"
)
| project TimeGenerated, AccountName, AccountObjectId, SourceIp, RequestCount, DistinctResources, DistinctMethods, RiskScore, FirstSeen, LastSeen
| order by DistinctResources desc

index=* sourcetype IN ("nebula-mesh:api", "nginx:access", "haproxy", "golang:app", "syslog")
| regex _raw="/api/v\d+/(nodes|networks|tunnels|hosts|peers)/[^/\s]+"
| rex field=_raw "(?P<http_method>GET|POST|PUT|PATCH|DELETE) (?P<request_uri>/api/[^\s]+) HTTP" 
| rex field=_raw "\"?(?P<status_code>[245]\d{2})\"?"
| rex field=_raw "Authorization: Bearer (?P<token_prefix>[A-Za-z0-9+/]{8})"
| rex field=_raw "(?P<operator_id>operator[_-]?[a-zA-Z0-9]+|user[_-]?id[=:]\s*[a-zA-Z0-9]+)"
| rex field=request_uri "/api/v\d+/[^/]+/(?P<resource_id>[^/?\s]+)"
| where status_code IN ("200", "201", "204") AND http_method IN ("PUT", "PATCH", "DELETE", "GET")
| stats
    count AS request_count,
    dc(resource_id) AS distinct_resources,
    values(http_method) AS methods_used,
    values(resource_id) AS resources_accessed,
    earliest(_time) AS first_seen,
    latest(_time) AS last_seen
    BY src_ip, operator_id, token_prefix, span=10m
| where distinct_resources > 5
| eval risk=case(distinct_resources > 20, "HIGH", distinct_resources > 10, "MEDIUM", true(), "LOW")
| eval cve="CVE-2026-47724"
| table _time, src_ip, operator_id, request_count, distinct_resources, methods_used, risk, cve, first_seen, last_seen
| sort -distinct_resources

sequence by source.ip, user.name with maxspan=10m
  [network where
    http.request.method in ("GET", "PUT", "PATCH", "DELETE") and
    url.path : "/api/v*/nodes/*" or
    url.path : "/api/v*/networks/*" or
    url.path : "/api/v*/tunnels/*" or
    url.path : "/api/v*/hosts/*" or
    url.path : "/api/v*/peers/*" and
    http.response.status_code in (200, 201, 204)
  ] with runs=6

SELECT
  sourceip,
  username,
  UTF8(payload) AS raw_payload,
  COUNT(*) AS request_count,
  UNIQUECOUNT(REGEXP_EXTRACT(UTF8(payload), '/api/v[0-9]+/[^/]+/([^/?\s]+)', 1)) AS distinct_resource_ids,
  MIN(starttime) AS first_request_epoch,
  MAX(starttime) AS last_request_epoch,
  'CVE-2026-47724' AS cve_id
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'nginx', 'F5 BIG-IP', 'Application Log')
  AND UTF8(payload) MATCHES '.*\/api\/v[0-9]+\/(nodes|networks|tunnels|hosts|peers)\/[^/\s]+.*'
  AND UTF8(payload) MATCHES '.*(200|201|204).*'
  AND UTF8(payload) MATCHES '.*(PUT|PATCH|DELETE|GET).*'
  AND LOGSOURCETIME(starttime) > NOW() - 3600000
GROUP BY
  sourceip,
  username,
  FLOOR(starttime / 600000)
HAVING
  distinct_resource_ids > 5
ORDER BY distinct_resource_ids DESC
LAST 60 MINUTES

_sourceCategory=nebula-mesh OR _sourceCategory=nginx/access OR _sourceCategory=application/golang
| parse regex "(?P<http_method>GET|POST|PUT|PATCH|DELETE) (?P<request_uri>/api/v\d+/(?P<resource_type>nodes|networks|tunnels|hosts|peers)/(?P<resource_id>[^/?\s]+))"
| parse regex "(?P<status_code>[245]\d{2})"
| parse regex "(?P<source_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| where status_code in ("200", "201", "204") and http_method in ("GET", "PUT", "PATCH", "DELETE")
| timeslice 10m
| stats
    count as request_count,
    dcount(resource_id) as distinct_resources,
    dcount(resource_type) as distinct_resource_types,
    values(http_method) as methods
    by source_ip, _timeslice
| where distinct_resources > 5
| sort by distinct_resources desc
| fields _timeslice, source_ip, request_count, distinct_resources, distinct_resource_types, methods

rule nebula_mesh_cve_2026_47724_ownership_bypass {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects potential CVE-2026-47724 exploitation: cross-operator API access in nebula-mesh via missing ownership checks"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2026-47724"
    reference = "https://github.com/juev/nebula-mesh/security/advisories/GHSA-598g-h2vc-h5vg"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.network.http.method in ("GET", "PUT", "PATCH", "DELETE")
    re.regex($req.network.http.request_url, `/api/v\d+/(nodes|networks|tunnels|hosts|peers)/[^/?\s]+`)
    $req.network.http.response_code in (200, 201, 204)
    $req.principal.ip = $ip
    $req.principal.user.userid = $uid
    $req.network.http.request_url = $url

  match:
    $ip, $uid over 10m

  outcome:
    $distinct_paths = count_distinct($url)
    $request_count = count($url)
    $risk_score = if($distinct_paths > 20, 95, if($distinct_paths > 10, 75, 50))

  condition:
    #req > 5 and $distinct_paths > 5
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| search ImageFileName=/nebula[-_]?mesh/i OR (RemotePort=8080 OR RemotePort=443 OR RemotePort=8443) AND (CommandLine=/\/api\/v\d+\/(nodes|networks|tunnels|hosts|peers)\//)
| eval resource_id=extract(CommandLine, "/api/v\d+/[^/]+/([^/?\s]+)", 1)
| eval http_method=extract(CommandLine, "-(X|request)\s+(GET|PUT|PATCH|DELETE)", 2)
| stats
    count() AS request_count,
    dc(resource_id) AS distinct_resources,
    values(CommandLine) AS commands,
    values(RemoteAddressIP4) AS remote_ips
    by UserName, aid, ComputerName, span(EventTime, 10m)
| where distinct_resources > 3
| eval cve="CVE-2026-47724"
| eval alert_severity=if(distinct_resources > 10, "CRITICAL", "HIGH")
| fields EventTime, UserName, ComputerName, aid, request_count, distinct_resources, remote_ips, alert_severity, cve