[Security Advisory] NetBird Management API Authorization Bypass - Patch Available
Hey everyone,
We’re disclosing a security vulnerability in NetBird’s management server API that has been fixed and patched.
What happened: A flaw in the management API’s authentication middleware allowed an authenticated user to manipulate a request parameter to bypass account-membership and role-based access checks. This means:
Multi-account deployments: An authenticated user on one account could potentially access resources on a different account (cross-account access).
Single-account deployments: A regular user could bypass per-user authorization checks, such as viewing peers they don’t own.
Important context:
Exploitation requires a valid authentication token (JWT or PAT) - this is not an unauthenticated attack.
The vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key.
What you should do:
Self-hosted users: Upgrade to version 0.64.5 or later immediately. Link to release
NetBird Cloud users: No action needed
If you have questions, reach out at security@netbird.io