{"uuid": "a6eb607a-2f32-4b64-9317-08d08a26fc69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-ghmh-jhmj-wcmf", "type": "seen", "source": "https://gist.github.com/alon710/36f3399c6d42cf95c9294583be143e55", "content": "# GHSA-GHMH-JHMJ-WCMF: GHSA-GHMH-JHMJ-WCMF: Plaintext Storage of Enrollment Tokens at Rest in SQLite in nebula-mesh\n\n> **CVSS Score:** 5.1\n> **Published:** 2026-06-22\n> **Full Report:** https://cvereports.com/reports/GHSA-GHMH-JHMJ-WCMF\n\n## Summary\nThe self-hosted Slack Nebula VPN control plane, nebula-mesh, stored high-privilege enrollment tokens in plaintext inside its SQLite database. This flaw allowed any adversary with read access to the database to retrieve pending tokens and enroll unauthorized hosts into the secure VPN mesh.\n\n## TL;DR\nPlaintext enrollment tokens stored in SQLite allowed attackers with database read access to register unauthorized nodes on private VPN meshes.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-312, CWE-256\n- **Attack Vector**: Local / Read-only Database Access\n- **CVSS v4.0 Score**: 5.1 (Medium)\n- **Exploit Status**: poc\n- **Impact**: Unauthorized VPN Mesh Host Enrollment\n- **Remediation Status**: Patched in v0.3.2\n\n## Affected Systems\n\n- nebula-mesh (github.com/juev/nebula-mesh)\n- nebula-mesh (github.com/forgekeep/nebula-mesh)\n- **nebula-mesh**: <= v0.3.0 (Fixed in: `v0.3.2`)\n\n## Mitigation\n\n- Upgrade nebula-mesh to version v0.3.2 or newer to enforce SHA-256 token hashing.\n- Apply restrictive filesystem permissions (chmod 0600) to nebula-mgmt.db to limit read access.\n- Rotate and invalidate any outstanding or expired enrollment tokens.\n\n**Remediation Steps:**\n1. Verify the running version of nebula-mesh and stop the control plane service.\n2. Backup the active SQLite database file (nebula-mgmt.db).\n3. Install the updated nebula-mesh binary (version v0.3.2 or newer).\n4. Run the database schema migrations to apply the 016_enrollment_token_hash.up.sql update.\n5. Identify hosts with pending enrollments and regenerate their enrollment tokens.\n\n## References\n\n- [GHSA-GHMH-JHMJ-WCMF Security Advisory](https://github.com/juev/nebula-mesh/security/advisories/GHSA-ghmh-jhmj-wcmf)\n- [SQL Migration Patch Source](https://raw.githubusercontent.com/forgekeep/nebula-mesh/v0.3.2/internal/store/migrations/016_enrollment_token_hash.up.sql)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-GHMH-JHMJ-WCMF) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-23T08:41:51.000000Z"}