PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-32078 Netmaker CVE debrief

CVE-2023-32078 is an authorization flaw in Netmaker’s user update function. The issue is described as an insecure direct object reference (IDOR): by supplying another user’s username, an attacker could update that user’s password. NVD assigns a CVSS v3.1 score of 7.5 (HIGH) with network attack vector, no privileges required, and high integrity impact. The vulnerable ranges listed in the official record are versions earlier than 0.17.1 and 0.18.0 through 0.18.5. The vendor advisory and NVD both point to fixes in 0.17.1 and 0.18.6. For defenders, this is primarily an access-control and credential-integrity problem: if a Netmaker deployment is on an affected version, user account takeover via password change is the main concern.

Vendor
Netmaker
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2023-08-24
Original CVE updated
2026-05-18
Advisory published
2023-08-24
Advisory updated
2026-05-18

Who should care

Netmaker administrators, platform owners, and security teams operating self-hosted Netmaker instances should care most, especially if any deployment is on versions before 0.17.1 or on 0.18.0-0.18.5. Identity and access management owners should also review any user-password-related changes in affected environments.

Technical summary

The vulnerability is mapped to CWE-639 (Authorization Bypass Through User-Controlled Key) in the vendor advisory metadata. The attack path is straightforward: the user update function accepted a username parameter that could be substituted for another account, allowing an unauthorized password update. NVD’s vulnerable CPE criteria identify two affected version bands: versions ending before 0.17.1, and versions from 0.18.0 through 0.18.5. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, which reflects a remotely reachable issue with no required privileges and a severe integrity impact.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Netmaker 0.18.6 or later if you are on 0.18.0-0.18.5.
  • If you are on 0.17.1, follow the vendor’s guidance to pull the patched image with `docker pull gravitl/netmaker:v0.17.1` and redeploy with `docker-compose up -d`.
  • Verify every Netmaker deployment is outside the affected ranges: earlier than 0.17.1, or 0.18.0 through 0.18.5.
  • Use the vendor advisory and patch references to confirm the fix has been applied in your environment.
  • Treat unexpected user password changes as suspicious and investigate affected accounts in deployments that may have been exposed.

Evidence notes

Primary evidence comes from the official NVD record and the vendor advisory linked in the source corpus. The supplied CVE record shows publication on 2023-08-24T22:15:10.267Z and later modification on 2026-05-18T16:44:17.500Z; that modified date is source metadata only and not the vulnerability date. NVD lists the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N and the vulnerable version criteria, while the GitHub security advisory metadata identifies CWE-639. The referenced commit and pull request are patch artifacts, and the vendor advisory confirms the fixed versions.

Official resources

CVE published by NVD on 2023-08-24. This debrief uses the CVE publication date for timing context and treats later source modifications as metadata updates only.