GHSA-W7W5-5GCP-38RW
Vulnerability from github – Published: 2026-06-08 23:08 – Updated: 2026-06-08 23:08None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase.
Impact
The admin UI signs CA certificates, mints API keys (returned inline once per page), displays TOTP QR codes, and exposes operator-management forms. Missing X-Frame-Options: DENY / frame-ancestors 'none' is a real clickjacking lever against an admin browsing /ui/operators/* or /ui/cas/*. Missing X-Content-Type-Options: nosniff allows MIME confusion on any user-supplied content surface. Missing HSTS on TLS deployments leaves a downgrade window.
Affected
All released versions up to v0.3.0.
Suggested fix
A single response-header middleware mounted at the chi router root in both /ui/* and /api/* paths:
func securityHeadersMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
h := rw.Header()
h.Set("Content-Security-Policy",
"default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'")
h.Set("X-Content-Type-Options", "nosniff")
h.Set("Referrer-Policy", "same-origin")
h.Set("X-Frame-Options", "DENY") // belt-and-braces; CSP frame-ancestors is the modern path
if r.TLS != nil {
h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
}
next.ServeHTTP(rw, r)
})
}
The inline <script> in layout.html for CSRF wiring (added in the CSRF advisory) will need either a nonce, a hash in CSP, or external-file extraction. Easiest path: a nonce per request (crypto/rand, base64) injected into both the CSP header and the script's nonce="" attribute.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/juev/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47723"
],
"database_specific": {
"cwe_ids": [
"CWE-1021"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-08T23:08:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "None of the response paths in `internal/web/` or `internal/api/` set the standard browser-security headers. `grep` for `Content-Security-Policy`, `X-Frame-Options`, `Strict-Transport-Security`, `X-Content-Type-Options`, `Referrer-Policy` returns zero matches across the codebase.\n\n## Impact\nThe admin UI signs CA certificates, mints API keys (returned inline once per page), displays TOTP QR codes, and exposes operator-management forms. Missing `X-Frame-Options: DENY` / `frame-ancestors \u0027none\u0027` is a real clickjacking lever against an admin browsing `/ui/operators/*` or `/ui/cas/*`. Missing `X-Content-Type-Options: nosniff` allows MIME confusion on any user-supplied content surface. Missing HSTS on TLS deployments leaves a downgrade window.\n\n## Affected\nAll released versions up to v0.3.0.\n\n## Suggested fix\nA single response-header middleware mounted at the chi router root in both `/ui/*` and `/api/*` paths:\n\n```go\nfunc securityHeadersMiddleware(next http.Handler) http.Handler {\n return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {\n h := rw.Header()\n h.Set(\"Content-Security-Policy\",\n \"default-src \u0027self\u0027; frame-ancestors \u0027none\u0027; base-uri \u0027none\u0027; form-action \u0027self\u0027\")\n h.Set(\"X-Content-Type-Options\", \"nosniff\")\n h.Set(\"Referrer-Policy\", \"same-origin\")\n h.Set(\"X-Frame-Options\", \"DENY\") // belt-and-braces; CSP frame-ancestors is the modern path\n if r.TLS != nil {\n h.Set(\"Strict-Transport-Security\", \"max-age=31536000; includeSubDomains\")\n }\n next.ServeHTTP(rw, r)\n })\n}\n```\n\nThe inline `\u003cscript\u003e` in `layout.html` for CSRF wiring (added in the CSRF advisory) will need either a nonce, a hash in CSP, or external-file extraction. Easiest path: a nonce per request (`crypto/rand`, base64) injected into both the CSP header and the script\u0027s `nonce=\"\"` attribute.",
"id": "GHSA-w7w5-5gcp-38rw",
"modified": "2026-06-08T23:08:54Z",
"published": "2026-06-08T23:08:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-w7w5-5gcp-38rw"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/commit/b45fda5476c41ffcff1ca23058aef0fb851359c1"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.1"
},
{
"type": "PACKAGE",
"url": "https://github.com/juev/nebula-mesh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.