Immediate Updates
Upgrade to Nimbus Gateway 4.2.9 and later where possible.
CRITICAL Vulnerability
VAPT-2026-04401 | Session bootstrap token bypass in Nimbus Gateway administrative API
Nimbus Gateway accepted stale bootstrap session material on the administrative API, allowing remote attackers to regain privileged access without re-authentication.
Case Overview
Case ReferenceVAPT-2026-04401
AuthorMaya Overflow
Researcher(s)
Maya Overflow
CVE(s)
ProductNimbus Gateway
VersionNimbus Gateway 4.2.0 through 4.2.8
Recommendation
Upgrade to Nimbus Gateway 4.2.9 and later where possible.
Workaround
Upgrade or rebuild toward Nimbus Gateway 4.2.9 and later.
Status
Published
Last ModifiedApr 10, 2026, 13:43 UTC
Summary
Nimbus Gateway accepted stale bootstrap session material on the administrative API, allowing remote attackers to regain privileged access without re-authentication.
Affected Scope
How Attackers Can Misuse This
- Nimbus Gateway accepted stale bootstrap session material on the administrative API, allowing remote attackers to regain privileged access without re-authentication.
Root Cause
A bootstrap token issued during appliance initialization remained valid after the setup workflow completed. The administrative API failed to bind the token to the initialization state, so a replayed request restored a privileged setup session and exposed management actions intended only for first-run use.
record: VAPT-2026-04401
severity: CRITICAL
product: Nimbus Gateway
target_versions: Nimbus Gateway 4.2.0 through 4.2.8
linked_cves: CVE-2026-44001
cvss_vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWhat You Can Do
Treat as Compromised
Treat exposed management surfaces and previously issued credentials as potentially compromised.
Rotate Credentials
Rotate affected secrets, tokens, and privileged service credentials after remediation is applied.
Threat Hunting
Invalidate all bootstrap material after successful onboarding, rotate exposed secrets, and upgrade to Nimbus Gateway 4.2.9 or later. Administrators should review management logs for repeated setup-session requests originating after appliance enrollment.
Tools
No downloadable tools or authenticated evidence packages are attached to this case.
What We Are Doing
Nimbus Networks case is currently marked published, with patch status reported as published. VAPT continues to keep the public lifecycle aligned with coordinated disclosure milestones and remediation visibility.
Timeline
| Date | Description |
|---|---|
| Mar 27, 2026 | Submitted The researcher submitted the initial disclosure package. |
| Apr 2, 2026 | Validated The issue was validated and reserved for coordinated disclosure. |
| Apr 10, 2026 | Published The case was published with a public VAPT advisory and CVE writeup. |
More Information
Technical writeup
Root-cause walkthrough and affected request flow.
Vendor remediation notice
Vendor remediation and rollout guidance.