CVE-2026-46484
Received Received - Intake
Path Traversal in Headplane Web UI

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46484
EUVD
EUVD-2026-35193
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
headplane headplane to 0.7.0-beta.3 (exc)
tale headplane to 0.6.3 (exc)
tale headplane to 0.7.0-beta.3 (exc)
tale headplane 0.6.3
tale headplane 0.7.0-beta.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46484 is a path traversal and role-based access control (RBAC) bypass vulnerability in the Headplane project, specifically affecting versions prior to 0.6.3 and 0.7.0-beta.3.

The vulnerability occurs in the rename API calls for nodes and users, where user-controlled input is inserted directly into the Headscale API URL path without proper URL encoding.

An attacker can manipulate the rename path segments with path traversal sequences (like "../") to escape the intended API endpoint, causing the request to target unauthorized nodes or users.

This allows an authenticated user with certain privileges to bypass RBAC restrictions and perform unauthorized rename or expire actions on arbitrary nodes or users.

The issue was fixed by URL-encoding the user-controlled path segments before sending requests to Headscale, preventing crafted rename values from being executed.

Impact Analysis

This vulnerability can have significant impacts on the integrity and availability of your Tailnet environment managed by Headplane.

An attacker with authenticated access and minimal privileges can exploit the vulnerability to bypass RBAC controls and perform unauthorized actions such as expiring or renaming arbitrary nodes and users.

Such actions can disrupt Tailnet connectivity, interfere with MagicDNS names, and generally compromise the proper functioning and management of your network.

While there is no known confidentiality impact, the high integrity and availability risks mean that network operations and resource management can be severely affected.

Mitigation Strategies

To mitigate the CVE-2026-46484 vulnerability, you should upgrade Headplane to a patched version where the issue is fixed.

  • Upgrade to version 0.6.3 or later if you are using the stable release.
  • Upgrade to version 0.7.0-beta.3 or later if you are using the beta release.

These versions include fixes that URL-encode user-controlled rename path segments to prevent path traversal and authorization bypass exploits.

Compliance Impact

The vulnerability in Headplane allows an authenticated user to bypass RBAC controls and perform unauthorized rename and expire operations on nodes and users within the Headscale API. This can disrupt availability and integrity of Tailnet connectivity and MagicDNS names.

While there is no known confidentiality impact, the ability to disrupt availability and integrity could potentially affect compliance with standards and regulations that require maintaining system integrity and availability, such as HIPAA and GDPR.

Specifically, regulations like GDPR and HIPAA mandate protecting the integrity and availability of systems processing personal or sensitive data. This vulnerability could undermine those requirements by allowing unauthorized modifications and disruptions.

Therefore, failure to patch this vulnerability could lead to non-compliance with such standards due to compromised system integrity and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46484. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart