PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63089 wg-easy CVE debrief

WireGuard Easy through version 15.3.0 is vulnerable to a cryptographically weak one-time link token generation vulnerability. This vulnerability allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID. The token is computed using CRC32 over a random value constrained to 0-999. Attackers can enumerate candidate tokens against the unauthenticated /cnf/:oneTimeLink route, which lacks rate limiting and does not validate token expiration, to obtain a peer's PrivateKey and PresharedKey and impersonate that peer on the VPN network. Network defenders and administrators should assess their exposure and apply patches to mitigate the vulnerability. The CVE record was published on 2026-07-16T20:16:47.800Z and has not been modified since then. The vulnerability has a critical CVSS score of 9. The fix is available in commit 66b292b or later versions.

Vendor
wg-easy
Product
Unknown
CVSS
CRITICAL 9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Network defenders and administrators using WireGuard Easy should assess their exposure and apply patches to mitigate the vulnerability. They should also restrict access to the /cnf/:oneTimeLink route and implement rate limiting on this route. Additionally, they should monitor for suspicious activity on the WireGuard Easy service and consider using additional authentication mechanisms for WireGuard peer connections. This vulnerability affects WireGuard Easy deployments, and operators should review their configurations and update their systems accordingly.

Technical summary

WireGuard Easy through version 15.3.0 contains a vulnerability in its one-time link token generation. The tokens are generated using CRC32 over a random value between 0 and 999, resulting in a maximum of 1000 possible tokens per client ID. This weakness allows unauthenticated attackers to brute-force the tokens and potentially recover WireGuard peer credentials, enabling them to impersonate peers on the VPN network. The fix is available in commit 66b292b or later versions.

Defensive priority

High priority due to the critical CVSS score of 9 and the potential for unauthenticated network attacks.

Recommended defensive actions

  • Apply the patch from commit 66b292b or upgrade to a version beyond 15.3.0.
  • Restrict access to the /cnf/:oneTimeLink route.
  • Implement rate limiting on the /cnf/:oneTimeLink route.
  • Monitor for suspicious activity on the WireGuard Easy service.
  • Consider using additional authentication mechanisms for WireGuard peer connections.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The vulnerability is caused by the weak one-time link token generation in WireGuard Easy. The token generation uses CRC32 over a random value constrained to 0-999, leading to a limited keyspace of 1000 candidate tokens per client ID. The unauthenticated /cnf/:oneTimeLink route lacks rate limiting and does not validate token expiration, making it susceptible to brute-force attacks. The official CVE record and NVD details provide further information on the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:47.800Z and has not been modified since then.