NetLicensing MCP and nebula-mesh control-plane boundary checks¶
Source: hourly offensive-security scan, 2026-07-14 late GitHub advisory wave. Primary entries: GHSA-x9vc-9ffq-p3gj / CVE-2026-54446, GHSA-7rx3-5wx3-5v76, GHSA-cm26-5974-52h8 / CVE-2026-61699, and GHSA-g4x6-jcvr-9m3g / CVE-2026-55513.
This batch is durable because each advisory maps to a repeatable operator boundary: an MCP HTTP transport that silently falls back to the server operator's upstream API key when the caller supplies no key, a mesh webhook feature where non-admin operators can opt out of SSRF guards, a certificate-revocation workflow that updates control-plane state but never reaches the data plane, and a Web UI host-creation path that mints longer-lived bearer enrollment tokens than the configured policy.
Authorized validation only
Keep proofs to disposable NetLicensing-MCP and nebula-mesh labs, fake NetLicensing accounts or mocked upstream APIs, owned webhook callback hosts, loopback-only internal canaries, synthetic mesh hosts, short-lived test enrollment tokens, and inert route/status markers. Do not call production licensing APIs, create/delete real customer licenses, fetch cloud metadata, probe production internal services, capture real mesh traffic, reuse production certificates, enroll unauthorized devices, or publish bearer tokens/API keys.
What changed¶
| Advisory | Component | Boundary | Operator value |
|---|---|---|---|
| GHSA-x9vc-9ffq-p3gj / CVE-2026-54446 | netlicensing-mcp HTTP transport | Missing client API key is forwarded downstream, where the client falls back to NETLICENSING_API_KEY from the server environment | Add unauthenticated MCP HTTP tool-invocation checks for server-side credential fallback. |
| GHSA-7rx3-5wx3-5v76 | nebula-mesh managed webhooks | Non-admin operators can set allow_private: true, causing the dispatcher to use an unguarded HTTP client for webhook delivery | Test low-privilege webhook configuration for SSRF guard opt-out fields. |
| GHSA-cm26-5974-52h8 / CVE-2026-61699 | nebula-mesh host revocation | The control plane sends blocklist updates, but the agent discards them and generated configs omit pki.blocklist | Validate that revocation state changes are enforced by mesh peers, not just shown in the UI/API. |
| GHSA-g4x6-jcvr-9m3g / CVE-2026-55513 | nebula-mesh Web UI host creation | POST /ui/hosts hardcodes roughly 24-hour enrollment-token expiry instead of using configured TTL policy | Add UI-vs-API token-lifetime parity checks to mesh enrollment workflows. |
Replayable validation boundaries¶
NetLicensing-MCP server-side API key fallback¶
- Start
netlicensing-mcpin HTTP transport mode in a lab withNETLICENSING_API_KEYset to a fake key accepted by a mocked NetLicensing upstream, or to a low-risk test account explicitly approved for the assessment. - Send a normal MCP request with a caller-supplied
x-netlicensing-api-keyand confirm the upstream sees the caller key. - Repeat with no
x-netlicensing-api-keyheader and no?apikey=query parameter. - Invoke only harmless read/list tools first, then marker-only create/update/delete tools against disposable products or mock resources if those operations are in scope.
- Record whether the unauthenticated request is accepted and whether the upstream receives the server environment key.
- Add controls for a patched build, missing server key, invalid caller key, network-level authentication in front of HTTP mode, and stdio mode.
Report this as unauthenticated MCP HTTP caller -> missing per-request key enforcement -> upstream API request under server operator credential. Evidence should be method/tool name, auth state, mocked upstream key class, and marker object ID; redact all key material.
nebula-mesh webhook allow_private SSRF guard bypass¶
- Create a nebula-mesh lab with one admin, one non-admin operator, one owned callback host, and one loopback or RFC1918 canary listener under your control.
- As the non-admin operator, create a webhook subscription first with
allow_private: falseand a private canary URL; record the expected rejection or guarded-delivery failure. - Repeat with the same target and
allow_private: trueusing only a harmless event such as a synthetic host-enrollment marker. - Verify whether the server dispatches to the private canary despite the role being non-admin.
- Add controls for admin behavior, patched role-gated
allow_private, public callback URLs, update-vs-create paths, and disabled webhook subscriptions.
Report this as low-privilege webhook config -> guard opt-out flag -> server-side request to private address class. Do not target metadata services, cluster APIs, Unix sockets, production admin panels, or third-party hosts.
nebula-mesh revocation data-plane enforcement gap¶
- Build a lab mesh with a dedicated CA and two synthetic hosts: Host A as an allowed peer and Host B as the revocation target.
- Confirm baseline Host A <-> Host B connectivity with only marker traffic.
- Revoke or block Host B through the UI/API and wait for Host A's agent update poll to complete.
- Inspect only lab-generated config/state to determine whether
pki.blocklistor equivalent revocation material reaches Host A's Nebula daemon. - Attempt the same marker connection from Host B and record whether the handshake still succeeds until certificate expiry.
- Add controls for newly generated configs, manually injected blocklists, patched agents, expired certificates, and a host under a different CA.
Report this as control-plane host block -> blocklist not applied by agents/config generator -> revoked certificate still accepted by peers. Keep evidence to host IDs, fingerprint prefixes, config key presence/absence, and marker connectivity; never capture production traffic or private keys.
nebula-mesh Web UI enrollment-token TTL drift¶
- Configure a lab server and network with a deliberately short enrollment-token TTL, such as five minutes, and verify the API host-creation path uses that TTL.
- As an authenticated operator who can create hosts, create an equivalent host through
POST /ui/hosts. - Compare the returned or stored
expires_atfor UI-created and API-created enrollment tokens. - Attempt enrollment only for synthetic pending hosts and stop after proving whether the longer-lived UI token is accepted beyond the configured short TTL window.
- Add controls for patched UI behavior, token-regeneration routes, admin vs non-admin operators, and networks without TTL overrides.
Report this as Web UI host creation -> hardcoded bearer enrollment-token expiry -> token lifetime exceeds policy. Redact token values; use only disposable hosts and do not enroll real devices.
Reporting notes¶
- Lead with preconditions: MCP transport mode and exposure, whether a server-side upstream API key is configured, nebula-mesh operator role, webhook event reachability, configured private-address guard policy, revocation polling cadence, certificate lifetime, and configured enrollment-token TTL.
- Prefer decision tables over payload dumps: caller role, supplied header/query/body field, expected guard or token policy, observed route/tool dispatch, marker callback or mesh effect, and patched negative control.
- Redact API keys, bearer tokens, enrollment tokens, certificate fingerprints beyond short prefixes, hostnames from customer environments, callback tokens, upstream account IDs, and mesh config containing private keys.
- Adjacent nebula-mesh plaintext-token and OIDC state-allocation advisories in the same wave were marked processed without promotion because this run did not identify a safe offensive workflow beyond existing secret-storage and DoS-exclusion guidance.