CVE-2026-47724 Elastic Security · Elastic

Detect nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation in Elastic Security

CVE-2026-47724 is a missing authorization vulnerability (CWE-862) in github.com/juev/nebula-mesh versions prior to 0.3.4. API endpoints fail to validate resource ownership before processing requests, allowing an authenticated operator to access, modify, or delete mesh network resources belonging to other operators. With a CVSS score of 9.9 and a public proof-of-concept, exploitation enables full cross-tenant privilege escalation within a nebula-mesh deployment. Organizations running nebula-mesh as a multi-tenant overlay network orchestrator are at critical risk.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip, user.name with maxspan=10m
  [network where
    http.request.method in ("GET", "PUT", "PATCH", "DELETE") and
    url.path : "/api/v*/nodes/*" or
    url.path : "/api/v*/networks/*" or
    url.path : "/api/v*/tunnels/*" or
    url.path : "/api/v*/hosts/*" or
    url.path : "/api/v*/peers/*" and
    http.response.status_code in (200, 201, 204)
  ] with runs=6
critical severity medium confidence

EQL sequence query detecting a single source IP and user making 6 or more successful API requests to distinct nebula-mesh resource path types within a 10-minute window, indicating potential CVE-2026-47724 exploitation.

Data Sources

Elastic SIEMElastic APMFilebeat HTTP module

Required Tables

logs-*filebeat-*apm-*

False Positives & Tuning

  • Automated mesh provisioning tools making legitimate bulk API calls
  • Monitoring agents polling multiple nebula-mesh endpoints simultaneously
  • Legitimate operators with wide administrative scope accessing many resources
  • Load balancer health checks hitting multiple API endpoints

Other platforms for CVE-2026-47724

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47724: Enumerate Foreign Operator Nodes via Unauthenticated Ownership Check

    Expected signal: HTTP GET /api/v1/nodes/<operator_b_node_id> returning HTTP 200 with node details for a resource not owned by the authenticated operator

  2. Test 2CVE-2026-47724: Modify Foreign Operator Network Configuration

    Expected signal: HTTP PATCH /api/v1/networks/<foreign_network_id> returning HTTP 200, with data store reflecting updated network name owned by wrong operator

  3. Test 3CVE-2026-47724: Delete Foreign Operator Tunnel — Destructive Escalation

    Expected signal: HTTP DELETE /api/v1/tunnels/<foreign_tunnel_id> returning HTTP 200 or 204, followed by mesh connectivity disruption between the tunnel's associated endpoints

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-47724 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1078Valid AccountsT1548Abuse Elevation Control MechanismT1021Remote Services

Same Tactic: Privilege Escalation

Popular Detections