CVE-2026-47724

The /api/v1/* route surface trusts the bearer token alone for authorisation on most endpoints. The codebase itself admits this at internal/api/hosts.go:384: "API trusts the bearer token for authorisation; per-CA ownership is enforced only in the Web layer."

The Web UI gates state-changing routes through loadAccessibleCA (internal/web/cas.go); CA-management endpoints in internal/api/cas.go ALSO have proper canAccessCA gates. The gap is on the host, network, firewall, mobile-bundle, and most operator endpoints. Combined with the per-operator CA model from ADR 0002, this gives any non-admin operator API key broad cross-tenant access — instant privilege escalation in the worst case.

Affected

All released versions prior to v0.3.4.

Exploit chain

A) Mint admin API key from any operator key (instant privilege escalation)

internal/api/operators.go:118 — handleCreateOperatorAPIKey does no admin check and no actor/target-operator ownership check. Any operator key can call it for any operator (including admins) and receive a fresh bearer.

curl -X POST -H "Authorization: Bearer <low-priv-key>" \
  https://server/api/v1/operators/<admin-id>/api-keys \
  -H 'Content-Type: application/json' -d '{"name":"oops"}'
## Returns: {"key":"<32-byte admin bearer>","entry":{...}}

Reuse the returned key for subsequent requests → full admin.

B) Cross-operator host takeover via reenroll

internal/api/hosts.go:321,330 → mintEnrollmentTokenForHost. Looks up host by URL param, mints a single-use enrollment token, returns it. No ownership check.

curl -X POST -H "Authorization: Bearer <low-priv-key>" \
  https://server/api/v1/hosts/<victim-host-id>/reenroll
## Returns: {"enrollment_token":"<uuid>",...}

Caller POSTs /api/v1/enroll with their own X25519 + Ed25519 keypairs. enroll.go:175 overwrites signingpubpem; SaveCertificateAndEnrollHost overwrites the cert. Legitimate agent's next signed poll fails bad_signature. Attacker now owns the victim's Nebula identity.

C) Cross-tenant CRUD on hosts, networks, firewall

The same gap applies across:

• /api/v1/hosts* — create, list, get, update, delete, block, unblock
• /api/v1/networks* — create, list, get
• /api/v1/networks/{id}/firewall — get, PUT
• /api/v1/hosts/{id}/mobile-bundle (already filed as public issue #119)

All trust bearer-auth alone. Any operator can read or mutate any other operator's resources.

Affected operator-management handlers (in addition to A)

Beyond handleCreateOperatorAPIKey (covered by A), internal/api/operators.go is missing admin gates on:

• handleListOperators (line 66) — operator roster info disclosure
• handleDisableOperator (line 79) — DoS / sabotage
• handleEnableOperator (line 94) — re-enable disabled operators
• handleRevokeOperatorAPIKey (line 157) — invalidate any operator's API keys
• handleListOperatorAPIKeys (line 173) — API-key metadata disclosure

handleCreateOperator (line 26) IS properly gated (actorIsAdmin at line 27).

NOT affected (verified)

internal/api/cas.go properly gates every CA endpoint via canAccessCA (calls at lines 70, 176, 216) and admin shortcuts at lines 39, 82. An earlier description draft mistakenly listed /api/v1/cas/{id}/rotate as affected — that endpoint is properly protected. CAs are not in this gap.

Impact

• Any non-admin operator → admin via one curl (A).
• Any non-admin operator → ownership of any victim's hosts with cert + identity transfer (B).
• Mass cross-tenant CRUD including firewall-rule mutation (C).
• Any operator → disable/enable other operators, revoke their API keys, enumerate the operator roster.

CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.6.

Suggested fix

Shared helpers in a new internal/api/authz.go, mirroring the Web layer's loadAccessibleCA:

func (s *Server) requireAdmin(w http.ResponseWriter, r *http.Request) bool
func (s *Server) requireOperatorAccess(w http.ResponseWriter, r *http.Request, operatorID string) bool
func (s *Server) requireHostAccess(w http.ResponseWriter, r *http.Request, hostID string) (*models.Host, bool)
func (s *Server) requireNetworkAccess(w http.ResponseWriter, r *http.Request, networkID string) (*models.Network, bool)

Each loads the resource, resolves its CA via *.CAID, accepts if actorIsAdmin(ctx) OR actor owns the CA. Reject 403 forbidden; audit-log api.<resource>.forbidden with the reason.

The operator-management endpoints take requireAdmin instead (operator ownership doesn't map to CA ownership).

Apply at the top of every host-, network-, firewall-, mobile-bundle-touching API handler, plus the 5 operator endpoints listed above. The legacy config-key path retains admin (preserves backward compatibility); the broader legacy-fallback question is tracked separately as issue #121.

Test matrix

• admin → all operations permitted
• owning non-admin → operations on owned hosts/networks permitted
• non-owner non-admin → 403 + audit entry
• legacy config-key → preserved (admin)
• unauthenticated → existing 401 from middleware

Coordinated context

Subsumes public issue #119 (mobile-bundle authz). Issue #121 (actor.go:40 legacy-admin fallback) is a separate concern tracked independently.