Vulnerability Details CVE-2026-25793
Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.5%
CVSS Severity
CVSS v3 Score 8.1
References
Products affected by CVE-2026-25793
-
cpe:2.3:a:slack:nebula:1.10.0
-
cpe:2.3:a:slack:nebula:1.10.1
-
cpe:2.3:a:slack:nebula:1.10.2
-
cpe:2.3:a:slack:nebula:1.7.0
-
cpe:2.3:a:slack:nebula:1.7.1
-
cpe:2.3:a:slack:nebula:1.7.2
-
cpe:2.3:a:slack:nebula:1.8.0
-
cpe:2.3:a:slack:nebula:1.8.1
-
cpe:2.3:a:slack:nebula:1.8.2
-
cpe:2.3:a:slack:nebula:1.9.0
-
cpe:2.3:a:slack:nebula:1.9.1
-
cpe:2.3:a:slack:nebula:1.9.2
-
cpe:2.3:a:slack:nebula:1.9.3
-
cpe:2.3:a:slack:nebula:1.9.4
-
cpe:2.3:a:slack:nebula:1.9.5
-
cpe:2.3:a:slack:nebula:1.9.6
-
cpe:2.3:a:slack:nebula:1.9.7