Detect nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation in Microsoft Sentinel
CVE-2026-47724 is a missing authorization vulnerability (CWE-862) in github.com/juev/nebula-mesh versions prior to 0.3.4. API endpoints fail to validate resource ownership before processing requests, allowing an authenticated operator to access, modify, or delete mesh network resources belonging to other operators. With a CVSS score of 9.9 and a public proof-of-concept, exploitation enables full cross-tenant privilege escalation within a nebula-mesh deployment. Organizations running nebula-mesh as a multi-tenant overlay network orchestrator are at critical risk.
MITRE ATT&CK
KQL Detection Query
union DeviceNetworkEvents, DeviceProcessEvents, AuditLogs
| where TimeGenerated > ago(7d)
| where (
(ActionType in ("HttpRequest", "ApiCall") and
RequestUri matches regex @"/api/v[0-9]+/(nodes|networks|tunnels|hosts|peers)/[^/]+" and
HttpMethod in ("PUT", "PATCH", "DELETE", "GET") and
ResultDescription has_any ("200", "201", "204"))
or
(ProcessCommandLine has "nebula-mesh" and ProcessCommandLine has_any ("--api", "--token", "--operator"))
)
| extend ParsedUri = extract(@"/api/v[0-9]+/([^/]+)/([^/?]+)", 0, RequestUri)
| summarize
RequestCount = count(),
DistinctResources = dcount(ParsedUri),
DistinctMethods = make_set(HttpMethod),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AccountName, AccountObjectId, InitiatingProcessAccountName, SourceIp = RemoteIP, bin(TimeGenerated, 10m)
| where DistinctResources > 5
| extend RiskScore = case(
DistinctResources > 20, "High",
DistinctResources > 10, "Medium",
"Low"
)
| project TimeGenerated, AccountName, AccountObjectId, SourceIp, RequestCount, DistinctResources, DistinctMethods, RiskScore, FirstSeen, LastSeen
| order by DistinctResources descDetects potential exploitation of CVE-2026-47724 by identifying authenticated users or service accounts making API requests to nebula-mesh resource endpoints across multiple distinct resource IDs in a short window, which may indicate cross-operator ownership bypass. Also surfaces nebula-mesh process invocations with API/token flags.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative operators performing bulk mesh configuration changes across many nodes
- Automated orchestration tools or CI/CD pipelines managing nebula-mesh resources at scale
- Security scanners or asset inventory tools enumerating API endpoints
- Network monitoring solutions polling multiple nebula-mesh node statuses simultaneously
Other platforms for CVE-2026-47724
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47724: Enumerate Foreign Operator Nodes via Unauthenticated Ownership Check
Expected signal: HTTP GET /api/v1/nodes/<operator_b_node_id> returning HTTP 200 with node details for a resource not owned by the authenticated operator
- Test 2CVE-2026-47724: Modify Foreign Operator Network Configuration
Expected signal: HTTP PATCH /api/v1/networks/<foreign_network_id> returning HTTP 200, with data store reflecting updated network name owned by wrong operator
- Test 3CVE-2026-47724: Delete Foreign Operator Tunnel — Destructive Escalation
Expected signal: HTTP DELETE /api/v1/tunnels/<foreign_tunnel_id> returning HTTP 200 or 204, followed by mesh connectivity disruption between the tunnel's associated endpoints
Unlock Pro Content
Get the full detection package for CVE-2026-47724 including response playbook, investigation guide, and atomic red team tests.