Detect nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation in CrowdStrike LogScale
CVE-2026-47724 is a missing authorization vulnerability (CWE-862) in github.com/juev/nebula-mesh versions prior to 0.3.4. API endpoints fail to validate resource ownership before processing requests, allowing an authenticated operator to access, modify, or delete mesh network resources belonging to other operators. With a CVSS score of 9.9 and a public proof-of-concept, exploitation enables full cross-tenant privilege escalation within a nebula-mesh deployment. Organizations running nebula-mesh as a multi-tenant overlay network orchestrator are at critical risk.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| search ImageFileName=/nebula[-_]?mesh/i OR (RemotePort=8080 OR RemotePort=443 OR RemotePort=8443) AND (CommandLine=/\/api\/v\d+\/(nodes|networks|tunnels|hosts|peers)\//)
| eval resource_id=extract(CommandLine, "/api/v\d+/[^/]+/([^/?\s]+)", 1)
| eval http_method=extract(CommandLine, "-(X|request)\s+(GET|PUT|PATCH|DELETE)", 2)
| stats
count() AS request_count,
dc(resource_id) AS distinct_resources,
values(CommandLine) AS commands,
values(RemoteAddressIP4) AS remote_ips
by UserName, aid, ComputerName, span(EventTime, 10m)
| where distinct_resources > 3
| eval cve="CVE-2026-47724"
| eval alert_severity=if(distinct_resources > 10, "CRITICAL", "HIGH")
| fields EventTime, UserName, ComputerName, aid, request_count, distinct_resources, remote_ips, alert_severity, cveCrowdStrike Falcon query correlating process and network events for nebula-mesh binary execution and outbound API calls, identifying hosts where a user accesses more than 3 distinct resource IDs within 10 minutes — indicative of cross-operator enumeration via CVE-2026-47724.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate nebula-mesh operators running multi-node management scripts
- DevOps engineers deploying mesh configuration changes via automation
- Security teams performing authorized vulnerability assessment of nebula-mesh deployments
- Mesh health monitoring daemons making periodic multi-endpoint checks
Other platforms for CVE-2026-47724
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47724: Enumerate Foreign Operator Nodes via Unauthenticated Ownership Check
Expected signal: HTTP GET /api/v1/nodes/<operator_b_node_id> returning HTTP 200 with node details for a resource not owned by the authenticated operator
- Test 2CVE-2026-47724: Modify Foreign Operator Network Configuration
Expected signal: HTTP PATCH /api/v1/networks/<foreign_network_id> returning HTTP 200, with data store reflecting updated network name owned by wrong operator
- Test 3CVE-2026-47724: Delete Foreign Operator Tunnel — Destructive Escalation
Expected signal: HTTP DELETE /api/v1/tunnels/<foreign_tunnel_id> returning HTTP 200 or 204, followed by mesh connectivity disruption between the tunnel's associated endpoints
Unlock Pro Content
Get the full detection package for CVE-2026-47724 including response playbook, investigation guide, and atomic red team tests.