Skip to main content

Headplane CVE-2026-46484

| EUVDEUVD-2026-35193 HIGH
Path Traversal (CWE-22)
2026-06-08 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 08, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 08, 2026 - 20:20 vuln.today
Analysis Generated
Jun 08, 2026 - 20:20 vuln.today

DescriptionGitHub Advisory

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.

AnalysisAI

Authorization bypass in Headplane (the web UI for Headscale) prior to 0.6.3 and 0.7.0-beta.3 allows authenticated low-privilege users to escape the intended Headscale API endpoint via path traversal sequences embedded in node and user rename values. By smuggling traversal payloads through un-encoded URL path segments, an attacker can reach arbitrary Headscale API operations, breaking the RBAC model and impacting integrity and availability of the tailnet. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Headplane is a feature-complete web UI for Headscale, an open-source, self-hosted implementation of the Tailscale control server. The flaw is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) inside the Headscale API client used for rename operations: user-controlled node names and user names were interpolated directly into the request URL path without URL-encoding. Because Headscale's REST API distinguishes operations by path (e.g., /api/v1/node/{id}/rename/{new_name}), unencoded '/', '..', or other reserved characters let the rename segment slip out of its slot and re-target a different endpoint, effectively turning a rename call into an arbitrary API call. The CPE cpe:2.3:a:tale:headplane:*:* confirms the affected component is the Headplane application itself, not Headscale.

RemediationAI

Vendor-released patch: upgrade to Headplane 0.6.3 on the stable channel or 0.7.0-beta.3 on the pre-release channel, per the project advisory GHSA-vgj6-hcf2-fqf6 and release notes at https://github.com/tale/headplane/releases/tag/v0.6.3 and https://github.com/tale/headplane/releases/tag/v0.7.0-beta.3; Docker deployments should redeploy from ghcr.io/tale/headplane:0.6.3 or :latest. The upstream fix URL-encodes user-controlled node and user rename path segments before they are sent to Headscale, so no configuration change is needed once upgraded. If upgrading immediately is not possible, compensating controls include disabling node and user rename functionality for non-admin users by restricting Headplane UI access (for example, gating /users and /machines rename routes at a reverse proxy or OIDC policy), and tightening Headscale-side RBAC so the Headplane service account cannot perform sensitive API calls beyond rename - the trade-off is loss of legitimate self-service rename capability and additional operational overhead. Audit existing Headscale node and user names for suspicious characters such as '/', '..', or URL-encoded equivalents that may indicate prior exploitation attempts.

Share

CVE-2026-46484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy