๐Ÿ” CVE Alert

CVE-2026-63089

CRITICAL 9.3

WireGuard Easy Weak Token Generation Information Disclosure via OTL Route

CVSS Score
9.3
EPSS Score
0.0%
EPSS Percentile
0th

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID, as the token is computed using CRC32 over a random value constrained to 0-999. Attackers can enumerate candidate tokens against the unauthenticated /cnf/:oneTimeLink route, which lacks rate limiting and does not validate token expiration, to obtain a peer's PrivateKey and PresharedKey and impersonate that peer on the VPN network.

CWE CWE-338 CWE-613
Vendor wg-easy
Product wg-easy
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for wg-easy wg-easy

Be the first to know when new critical vulnerabilities affecting wg-easy wg-easy are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Affected Versions

wg-easy / wg-easy
0 โ‰ค 15.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/wg-easy/wg-easy/pull/2661 github.com: https://github.com/wg-easy/wg-easy/commit/66b292b11bde3664f05ffb016c8082665d261ded vulncheck.com: https://www.vulncheck.com/advisories/wireguard-easy-weak-token-generation-information-disclosure-via-otl-route

Credits

George Chen