Description
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.
Published: 2026-06-08
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Headplane allowed an authenticated OIDC user to perform a path traversal and bypass RBAC checks when executing node or user rename or expiration operations. The vulnerability—identified as CWE‑22 and CWE‑285—enables the attacker to modify or churn any node or user record in Headscale. This change directly alters the integrity of the system’s node and user configuration, exposing the environment to unauthorized data changes.

Affected Systems

Tale:Headplane, all releases before 0.6.3 and before 0.7.0‑beta.3.

Risk and Exploitability

The flaw is exploitable only by users who have already authenticated via OIDC; no additional privileges are required beyond normal user access. The CVSS score of 8.1 signals high severity. The EPSS score is unavailable, and the vulnerability is not included in the CISA KEV catalog. Patching removes the path traversal logic in the Headscale API client and restores proper authorization for rename and expiration operations.

Generated by OpenCVE AI on June 8, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Headplane to version 0.6.3 or later, or to 0.7.0‑beta.3, to apply the official fix that eliminates the path traversal and RBAC bypass.
  • If an immediate upgrade is not possible, restrict access to the renameNode API by implementing a network‑based rule or reverse‑proxy filter to block the endpoint until the patch is deployed.
  • Re‑audit OIDC user roles and permissions to ensure only authorized accounts have rename or expiration privileges, and monitor logs for abnormal rename activity.

Generated by OpenCVE AI on June 8, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.
Title Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user
Weaknesses CWE-22
CWE-285
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T19:09:47.079Z

Reserved: 2026-05-14T18:06:06.810Z

Link: CVE-2026-46484

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T20:17:01.437

Modified: 2026-06-08T20:17:01.437

Link: CVE-2026-46484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T22:00:15Z

Weaknesses