Detect nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation in Google Chronicle
CVE-2026-47724 is a missing authorization vulnerability (CWE-862) in github.com/juev/nebula-mesh versions prior to 0.3.4. API endpoints fail to validate resource ownership before processing requests, allowing an authenticated operator to access, modify, or delete mesh network resources belonging to other operators. With a CVSS score of 9.9 and a public proof-of-concept, exploitation enables full cross-tenant privilege escalation within a nebula-mesh deployment. Organizations running nebula-mesh as a multi-tenant overlay network orchestrator are at critical risk.
MITRE ATT&CK
YARA-L Detection Query
rule nebula_mesh_cve_2026_47724_ownership_bypass {
meta:
author = "df00tech Detection Engineering"
description = "Detects potential CVE-2026-47724 exploitation: cross-operator API access in nebula-mesh via missing ownership checks"
severity = "CRITICAL"
priority = "HIGH"
cve = "CVE-2026-47724"
reference = "https://github.com/juev/nebula-mesh/security/advisories/GHSA-598g-h2vc-h5vg"
events:
$req.metadata.event_type = "NETWORK_HTTP"
$req.network.http.method in ("GET", "PUT", "PATCH", "DELETE")
re.regex($req.network.http.request_url, `/api/v\d+/(nodes|networks|tunnels|hosts|peers)/[^/?\s]+`)
$req.network.http.response_code in (200, 201, 204)
$req.principal.ip = $ip
$req.principal.user.userid = $uid
$req.network.http.request_url = $url
match:
$ip, $uid over 10m
outcome:
$distinct_paths = count_distinct($url)
$request_count = count($url)
$risk_score = if($distinct_paths > 20, 95, if($distinct_paths > 10, 75, 50))
condition:
#req > 5 and $distinct_paths > 5
}Chronicle YARA-L 2.0 rule detecting CVE-2026-47724 exploitation patterns by correlating nebula-mesh HTTP API requests from the same IP and user over 10-minute windows, flagging sessions with more than 5 distinct resource path accesses.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate bulk mesh configuration operations by authorized administrators
- Automated infrastructure-as-code tooling provisioning mesh nodes
- Network monitoring platforms polling nebula-mesh health endpoints
- Authorized penetration testing activities against mesh infrastructure
Other platforms for CVE-2026-47724
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47724: Enumerate Foreign Operator Nodes via Unauthenticated Ownership Check
Expected signal: HTTP GET /api/v1/nodes/<operator_b_node_id> returning HTTP 200 with node details for a resource not owned by the authenticated operator
- Test 2CVE-2026-47724: Modify Foreign Operator Network Configuration
Expected signal: HTTP PATCH /api/v1/networks/<foreign_network_id> returning HTTP 200, with data store reflecting updated network name owned by wrong operator
- Test 3CVE-2026-47724: Delete Foreign Operator Tunnel — Destructive Escalation
Expected signal: HTTP DELETE /api/v1/tunnels/<foreign_tunnel_id> returning HTTP 200 or 204, followed by mesh connectivity disruption between the tunnel's associated endpoints
Unlock Pro Content
Get the full detection package for CVE-2026-47724 including response playbook, investigation guide, and atomic red team tests.