CVE-2026-46484
Deferred Deferred - Pending Action

Path Traversal in Headplane Web UI

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-29
AI Q&A
2026-06-08
EPSS Evaluated
2026-06-27
NVD
CVE-2026-46484
EUVD
EUVD-2026-35193

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
headplane headplane to 0.7.0-beta.3 (exc)
tale headplane to 0.6.3 (exc)
tale headplane to 0.7.0-beta.3 (exc)
tale headplane 0.6.3
tale headplane 0.7.0-beta.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46484 is a path traversal and role-based access control (RBAC) bypass vulnerability in the Headplane project, specifically affecting versions prior to 0.6.3 and 0.7.0-beta.3.

The vulnerability occurs in the rename API calls for nodes and users, where user-controlled input is inserted directly into the Headscale API URL path without proper URL encoding.

An attacker can manipulate the rename path segments with path traversal sequences (like "../") to escape the intended API endpoint, causing the request to target unauthorized nodes or users.

This allows an authenticated user with certain privileges to bypass RBAC restrictions and perform unauthorized rename or expire actions on arbitrary nodes or users.

The issue was fixed by URL-encoding the user-controlled path segments before sending requests to Headscale, preventing crafted rename values from being executed.

Impact Analysis

This vulnerability can have significant impacts on the integrity and availability of your Tailnet environment managed by Headplane.

An attacker with authenticated access and minimal privileges can exploit the vulnerability to bypass RBAC controls and perform unauthorized actions such as expiring or renaming arbitrary nodes and users.

Such actions can disrupt Tailnet connectivity, interfere with MagicDNS names, and generally compromise the proper functioning and management of your network.

While there is no known confidentiality impact, the high integrity and availability risks mean that network operations and resource management can be severely affected.

Mitigation Strategies

To mitigate the CVE-2026-46484 vulnerability, you should upgrade Headplane to a patched version where the issue is fixed.

  • Upgrade to version 0.6.3 or later if you are using the stable release.
  • Upgrade to version 0.7.0-beta.3 or later if you are using the beta release.

These versions include fixes that URL-encode user-controlled rename path segments to prevent path traversal and authorization bypass exploits.

Compliance Impact

The vulnerability in Headplane allows an authenticated user to bypass RBAC controls and perform unauthorized rename and expire operations on nodes and users within the Headscale API. This can disrupt availability and integrity of Tailnet connectivity and MagicDNS names.

While there is no known confidentiality impact, the ability to disrupt availability and integrity could potentially affect compliance with standards and regulations that require maintaining system integrity and availability, such as HIPAA and GDPR.

Specifically, regulations like GDPR and HIPAA mandate protecting the integrity and availability of systems processing personal or sensitive data. This vulnerability could undermine those requirements by allowing unauthorized modifications and disruptions.

Therefore, failure to patch this vulnerability could lead to non-compliance with such standards due to compromised system integrity and availability.

Detection Guidance

This vulnerability involves path traversal and RBAC bypass in the Headplane rename API calls, where crafted rename values containing path traversal sequences like "../" can be used to escape intended API endpoints.

To detect exploitation attempts on your network or system, you should monitor API requests to the Headplane rename endpoints for suspicious path traversal sequences in node or user rename parameters.

Specifically, look for HTTP requests containing rename operations with URL paths including "../" or other path traversal patterns that are not properly URL-encoded.

Example commands to detect such attempts could include using network traffic inspection tools or web server logs with grep or similar tools, for instance:

  • grep -r 'rename' /var/log/headplane/access.log | grep '\.\./'
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'rename' | grep '\.\./'

Additionally, monitoring for unusual rename API calls from authenticated users with node management privileges could help identify attempts to exploit this vulnerability.

Upgrading to patched versions (0.6.3 or 0.7.0-beta.3 and later) is strongly recommended to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46484. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart