CVE-2026-47724 IBM QRadar · QRadar

Detect nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation in IBM QRadar

CVE-2026-47724 is a missing authorization vulnerability (CWE-862) in github.com/juev/nebula-mesh versions prior to 0.3.4. API endpoints fail to validate resource ownership before processing requests, allowing an authenticated operator to access, modify, or delete mesh network resources belonging to other operators. With a CVSS score of 9.9 and a public proof-of-concept, exploitation enables full cross-tenant privilege escalation within a nebula-mesh deployment. Organizations running nebula-mesh as a multi-tenant overlay network orchestrator are at critical risk.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  username,
  UTF8(payload) AS raw_payload,
  COUNT(*) AS request_count,
  UNIQUECOUNT(REGEXP_EXTRACT(UTF8(payload), '/api/v[0-9]+/[^/]+/([^/?\s]+)', 1)) AS distinct_resource_ids,
  MIN(starttime) AS first_request_epoch,
  MAX(starttime) AS last_request_epoch,
  'CVE-2026-47724' AS cve_id
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'nginx', 'F5 BIG-IP', 'Application Log')
  AND UTF8(payload) MATCHES '.*\/api\/v[0-9]+\/(nodes|networks|tunnels|hosts|peers)\/[^/\s]+.*'
  AND UTF8(payload) MATCHES '.*(200|201|204).*'
  AND UTF8(payload) MATCHES '.*(PUT|PATCH|DELETE|GET).*'
  AND LOGSOURCETIME(starttime) > NOW() - 3600000
GROUP BY
  sourceip,
  username,
  FLOOR(starttime / 600000)
HAVING
  distinct_resource_ids > 5
ORDER BY distinct_resource_ids DESC
LAST 60 MINUTES
critical severity medium confidence

QRadar AQL query aggregating nebula-mesh API requests by source IP and username across 10-minute windows, flagging actors accessing more than 5 distinct resource IDs — a key indicator of cross-operator access exploitation in CVE-2026-47724.

Data Sources

IBM QRadar SIEMHTTP access logsApplication event logs

Required Tables

events

False Positives & Tuning

  • Legitimate mesh administrators performing multi-node configuration updates
  • Automated deployment pipelines with broad API access
  • Asset discovery tools enumerating mesh topology
  • Backup or export tools accessing all mesh resources

Other platforms for CVE-2026-47724

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47724: Enumerate Foreign Operator Nodes via Unauthenticated Ownership Check

    Expected signal: HTTP GET /api/v1/nodes/<operator_b_node_id> returning HTTP 200 with node details for a resource not owned by the authenticated operator

  2. Test 2CVE-2026-47724: Modify Foreign Operator Network Configuration

    Expected signal: HTTP PATCH /api/v1/networks/<foreign_network_id> returning HTTP 200, with data store reflecting updated network name owned by wrong operator

  3. Test 3CVE-2026-47724: Delete Foreign Operator Tunnel — Destructive Escalation

    Expected signal: HTTP DELETE /api/v1/tunnels/<foreign_tunnel_id> returning HTTP 200 or 204, followed by mesh connectivity disruption between the tunnel's associated endpoints

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-47724 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1078Valid AccountsT1548Abuse Elevation Control MechanismT1021Remote Services

Same Tactic: Privilege Escalation

Popular Detections