CVE-2023-32079 Netmaker CVE debrief

Who should care

Netmaker operators, platform administrators, and teams running Netmaker-managed WireGuard networks should prioritize this advisory, especially if they allow non-admin users to interact with the application or API.

Technical summary

The NVD record classifies this as CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps it to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The vulnerability affects Netmaker versions before 0.17.1 and versions 0.18.0 through 0.18.5. In those builds, a mass assignment issue could allow a non-admin user to escalate privileges to admin. The vendor advisory and NVD both identify 0.17.1 and 0.18.6 as fixed releases.

Defensive priority

High. This is a network-accessible privilege-escalation issue in infrastructure software, with potential impact to confidentiality, integrity, and availability if an attacker can obtain elevated privileges.

Recommended defensive actions

• Upgrade Netmaker to a fixed release immediately: 0.17.1 for the affected 0.17.x line, or 0.18.6 or later for the 0.18.x line.
• If you are on 0.17.1, follow the vendor guidance to pull the patched backend image (`docker pull gravitl/netmaker:v0.17.1`) and restart the stack (`docker-compose up -d`).
• If you are on 0.18.0 through 0.18.5, upgrade to 0.18.6 or later.
• Confirm the deployed backend/container version after remediation so the patched release is actually running.
• Review administrative accounts and recent privilege changes for unexpected additions or escalations after upgrading.

Evidence notes

Source evidence comes from the official NVD CVE record and the linked GitHub Security Advisory referenced by NVD. The NVD metadata lists affected version ranges as versions prior to 0.17.1 and 0.18.0 through 0.18.5, with fixed releases 0.17.1 and 0.18.6. The CVE was published on 2023-08-24; the 2026 modification timestamp should not be treated as the issue date.

Official resources