PatchSiren cyber security CVE debrief
CVE-2026-63089 wg-easy CVE debrief
WireGuard Easy through version 15.3.0 is vulnerable to a cryptographically weak one-time link token generation vulnerability. This vulnerability allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID. The token is computed using CRC32 over a random value constrained to 0-999. Attackers can enumerate candidate tokens against the unauthenticated /cnf/:oneTimeLink route, which lacks rate limiting and does not validate token expiration, to obtain a peer's PrivateKey and PresharedKey and impersonate that peer on the VPN network. Network defenders and administrators should assess their exposure and apply patches to mitigate the vulnerability. The CVE record was published on 2026-07-16T20:16:47.800Z and has not been modified since then. The vulnerability has a critical CVSS score of 9. The fix is available in commit 66b292b or later versions.
- Vendor
- wg-easy
- Product
- Unknown
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Network defenders and administrators using WireGuard Easy should assess their exposure and apply patches to mitigate the vulnerability. They should also restrict access to the /cnf/:oneTimeLink route and implement rate limiting on this route. Additionally, they should monitor for suspicious activity on the WireGuard Easy service and consider using additional authentication mechanisms for WireGuard peer connections. This vulnerability affects WireGuard Easy deployments, and operators should review their configurations and update their systems accordingly.
Technical summary
WireGuard Easy through version 15.3.0 contains a vulnerability in its one-time link token generation. The tokens are generated using CRC32 over a random value between 0 and 999, resulting in a maximum of 1000 possible tokens per client ID. This weakness allows unauthenticated attackers to brute-force the tokens and potentially recover WireGuard peer credentials, enabling them to impersonate peers on the VPN network. The fix is available in commit 66b292b or later versions.
Defensive priority
High priority due to the critical CVSS score of 9 and the potential for unauthenticated network attacks.
Recommended defensive actions
- Apply the patch from commit 66b292b or upgrade to a version beyond 15.3.0.
- Restrict access to the /cnf/:oneTimeLink route.
- Implement rate limiting on the /cnf/:oneTimeLink route.
- Monitor for suspicious activity on the WireGuard Easy service.
- Consider using additional authentication mechanisms for WireGuard peer connections.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The vulnerability is caused by the weak one-time link token generation in WireGuard Easy. The token generation uses CRC32 over a random value constrained to 0-999, leading to a limited keyspace of 1000 candidate tokens per client ID. The unauthenticated /cnf/:oneTimeLink route lacks rate limiting and does not validate token expiration, making it susceptible to brute-force attacks. The official CVE record and NVD details provide further information on the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:47.800Z and has not been modified since then.