How is CVE-2026-45291 exploited?

Network reachability (required): The attacker must reach the service over the network; publicly accessible deployments embedding Cloudburst Network are directly exposed. Authentication (not-required): No credentials or prior account access are needed to trigger the vulnerability. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; the exploit is driven entirely by the attacker sending crafted network traffic. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-45291?

Crashes the parent Netty channel in the affected service, taking it completely offline. All in-flight and subsequent connections to the service are dropped, producing a full denial of service for end users. Recovery requires a process restart or redeployment, extending downtime depending on operator response time.

Back to search

HIGHCVE-2026-45291Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-45291: Cloudburst Network erroneously handles invalid connections

Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260418.124334-32` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to exploit a bug in Network to close the parent netty channel, rendering it inoperable. All consumers of the library should upgrade to at least version `1.0.0.CR3-20260418.124334-32`. There are no known workarounds beyond updating the library.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Cloudburst Network, a networking library used by Cloudburst projects. It is reachable over the network with no authentication required, meaning any remote attacker can trigger it without credentials. Successful exploitation allows the attacker to force-close the parent Netty channel, rendering the service inoperable. No fix version has been officially published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Cloudburst Network as a dependency. Any image carrying a version of Network prior to 1.0.0.CR3-20260418.124334-32 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH (v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project ships a release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the service over the network; publicly accessible deployments embedding Cloudburst Network are directly exposed.
AuthenticationNot required
No credentials or prior account access are needed to trigger the vulnerability.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; the exploit is driven entirely by the attacker sending crafted network traffic.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

Crashes the parent Netty channel in the affected service, taking it completely offline.
All in-flight and subsequent connections to the service are dropped, producing a full denial of service for end users.
Recovery requires a process restart or redeployment, extending downtime depending on operator response time.

How HarborGuard Handles This

Available on HarborGuard: images carrying Cloudburst Network versions prior to 1.0.0.CR3-20260418.124334-32 are flagged as soon as the CVE is ingested, which typically occurs within minutes of publication. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle. The moment the CloudburstMC project releases a patched version, a rebuilt image becomes available, and for customers who have auto-remediation enabled, HarborGuard will automatically trigger a rebuild, run regression tests, and open a PR against affected workloads. In the interim, the CVE description notes there are no known workarounds beyond updating the library; customers may consider network-policy isolation to restrict which sources can reach services that embed this library, reducing the pool of potential attackers until an upstream fix is available.

See how HarborGuard automates this

Affected packages

CloudburstMC / Network
< 1.0.0.CR3-20260418.124334-32

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/CloudburstMC/Network/security/advisories/GHSA-rh6x-g5c8-2rmf

Metrics

Get notified