CVE-2026-44001 | Session bootstrap token bypass in Nimbus Gateway administrative API

CVE CVE-2026-44001

Title Session bootstrap token bypass in Nimbus Gateway administrative API

Case Number VAPT-2026-04401

Status

Published

Credits

Maya Overflow (finder)

Affected products

Product	Affected	Unaffected	Unknown
Nimbus Networks Nimbus Gateway	Nimbus Gateway 4.2.0 through 4.2.8	—	Unknown

CVSS

Base score	9.4 - CRITICAL `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

References

VAPT writeup (VAPT advisory)
Vendor advisory (Vendor advisory)

Problem type(s)

CWE / Problem Type	MITRE Tactics	MITRE Techniques
CWE-287 Improper Authentication	Initial Access (TA0001) Credential Access (TA0006)	Valid Accounts (T1078) Exploit Public-Facing Application (T1190)

Date published Apr 10, 2026

Last modified Apr 10, 2026, 13:43 UTC

Description

A bootstrap token issued during appliance initialization remained valid after the setup workflow completed. The administrative API failed to bind the token to the initialization state, so a replayed request restored a privileged setup session and exposed management actions intended only for first-run use.

Known Detection Rules

Invalidate all bootstrap material after successful onboarding, rotate exposed secrets, and upgrade to Nimbus Gateway 4.2.9 or later. Administrators should review management logs for repeated setup-session requests originating after appliance enrollment.

No authenticated YARA, Sigma, or KQL detection content is attached to this CVE.

References

VAPT writeup

Public VAPT advisory linked to this CVE.

VAPT advisory

Vendor advisory

Public vendor advisory or acknowledgment linked to this CVE.

Vendor advisory