nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) — CVE-2026-47768

Summary

`internal/web/operators.go:251` — after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/<id>?new_key=<raw-token>&key_name=<name> The raw API key ends up: - in the browser's URL history - in the `Referer` header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in) - in any…

Product

go: github.com/juev/nebula-mesh

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories