CVE-2026-44343 WGDashboard CVE debrief

Who should care

Organizations using WGDashboard for WireGuard VPN management, particularly those with internet-exposed management interfaces or multi-tenant deployments where dashboard compromise could affect multiple VPN configurations.

Technical summary

WGDashboard versions before 4.3.2 fail to properly validate input, allowing unauthenticated remote attackers to access arbitrary files on the host file system. The vulnerability is classified under CWE-20 (Improper Input Validation). The attack requires no authentication and can be executed over the network with low complexity. Successful exploitation grants attackers high impact on confidentiality, integrity, and availability of the affected system. The vendor addressed the issue in commit b15bbce9bc5554ec379d558f032c730db47fcea2 and released version 4.3.2.

Defensive priority

critical

Recommended defensive actions

• Upgrade WGDashboard to version 4.3.2 or later immediately
• Verify no unauthorized access occurred by reviewing host file system access logs
• Restrict network access to WGDashboard management interfaces to authorized administrative hosts only until patching is complete
• Review WireGuard configuration files and associated credentials for signs of unauthorized access or modification
• Monitor for anomalous file system access patterns or unexpected configuration changes on hosts running WGDashboard

Evidence notes

CVE published 2026-05-12; modified 2026-05-19. Vendor advisory and patch commit published via GitHub Security Advisories. CPE confirms affected versions are all versions prior to 4.3.2. CVSS 4.0 score of 9.3 reflects critical severity with network accessibility and no authentication barrier.

Official resources