Security Flaw: Privilege Escalation in Nebula API
Freshman Member
Hello,
We have identified that a user with "read-only" permissions can perform write actions, such as creating a new site within our organization, by using an API key (created by the user in his account). This same action is correctly blocked in the user interface (UI).
This loophole allows for improper privilege escalation and violates the principle of least privilege, creating a security risk for our organization. I have not yet tested with other API calls like register devices and moving devices between sites.
Could you please inform us if there are any controls to mitigate this? Are there plans (a roadmap) to align API permissions with UI permissions, thereby restricting read-only users to GET calls?
Best Answers
-
Hi @henriquev
Thanks for reporting this issue. This issue has been addressed and will be fixed asap. Will keep you posted once fixed.
Zyxel Melen0 -
Update:
We have fixed this issue on 2026/02/10.
Zyxel Melen0
Zyxel Employee
All Replies
-
Hi @henriquev
Thanks for reporting this issue. This issue has been addressed and will be fixed asap. Will keep you posted once fixed.
Zyxel Melen0 -
Update:
We have fixed this issue on 2026/02/10.
Zyxel Melen0
Categories
- All Categories
- 442 Beta Program
- 2.9K Nebula
- 219 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.5K Security
- 588 USG FLEX H Series
- 344 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 52 Wireless Ideas
- 7K Consumer Product
- 298 Service & License
- 477 News and Release
- 91 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 87 About Community
- 102 Security Highlight
