Detect nebula-mesh API Ownership Check Bypass — Cross-Operator Privilege Escalation in Splunk
CVE-2026-47724 is a missing authorization vulnerability (CWE-862) in github.com/juev/nebula-mesh versions prior to 0.3.4. API endpoints fail to validate resource ownership before processing requests, allowing an authenticated operator to access, modify, or delete mesh network resources belonging to other operators. With a CVSS score of 9.9 and a public proof-of-concept, exploitation enables full cross-tenant privilege escalation within a nebula-mesh deployment. Organizations running nebula-mesh as a multi-tenant overlay network orchestrator are at critical risk.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("nebula-mesh:api", "nginx:access", "haproxy", "golang:app", "syslog")
| regex _raw="/api/v\d+/(nodes|networks|tunnels|hosts|peers)/[^/\s]+"
| rex field=_raw "(?P<http_method>GET|POST|PUT|PATCH|DELETE) (?P<request_uri>/api/[^\s]+) HTTP"
| rex field=_raw "\"?(?P<status_code>[245]\d{2})\"?"
| rex field=_raw "Authorization: Bearer (?P<token_prefix>[A-Za-z0-9+/]{8})"
| rex field=_raw "(?P<operator_id>operator[_-]?[a-zA-Z0-9]+|user[_-]?id[=:]\s*[a-zA-Z0-9]+)"
| rex field=request_uri "/api/v\d+/[^/]+/(?P<resource_id>[^/?\s]+)"
| where status_code IN ("200", "201", "204") AND http_method IN ("PUT", "PATCH", "DELETE", "GET")
| stats
count AS request_count,
dc(resource_id) AS distinct_resources,
values(http_method) AS methods_used,
values(resource_id) AS resources_accessed,
earliest(_time) AS first_seen,
latest(_time) AS last_seen
BY src_ip, operator_id, token_prefix, span=10m
| where distinct_resources > 5
| eval risk=case(distinct_resources > 20, "HIGH", distinct_resources > 10, "MEDIUM", true(), "LOW")
| eval cve="CVE-2026-47724"
| table _time, src_ip, operator_id, request_count, distinct_resources, methods_used, risk, cve, first_seen, last_seen
| sort -distinct_resourcesIdentifies nebula-mesh API requests where a single operator or source IP accesses an anomalously high number of distinct resource IDs in a 10-minute window, indicative of cross-operator enumeration or privilege escalation via CVE-2026-47724.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Bulk administrative operations by legitimate mesh operators managing large deployments
- Automated health-check or monitoring scripts polling many node endpoints
- Legitimate DevOps pipeline activity during mesh provisioning or decommissioning
- Security red team or penetration testing activity on authorized engagement
Other platforms for CVE-2026-47724
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47724: Enumerate Foreign Operator Nodes via Unauthenticated Ownership Check
Expected signal: HTTP GET /api/v1/nodes/<operator_b_node_id> returning HTTP 200 with node details for a resource not owned by the authenticated operator
- Test 2CVE-2026-47724: Modify Foreign Operator Network Configuration
Expected signal: HTTP PATCH /api/v1/networks/<foreign_network_id> returning HTTP 200, with data store reflecting updated network name owned by wrong operator
- Test 3CVE-2026-47724: Delete Foreign Operator Tunnel — Destructive Escalation
Expected signal: HTTP DELETE /api/v1/tunnels/<foreign_tunnel_id> returning HTTP 200 or 204, followed by mesh connectivity disruption between the tunnel's associated endpoints
Unlock Pro Content
Get the full detection package for CVE-2026-47724 including response playbook, investigation guide, and atomic red team tests.