HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46484Published Modified CNA GitHub_M

CVE-2026-46484: Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal and RBAC bypass vulnerability exists in Headplane, the web UI for Headscale, affecting versions prior to 0.6.3 and 0.7.0-beta.3. Any authenticated OIDC user can reach the vulnerable renameNode API client path over the network without elevated privileges, bypassing authorization checks to act on nodes or users they should not control. Successful exploitation lets an attacker expire or rename any node or user in the Headscale instance, causing persistent data tampering and potential service disruption across all managed peers. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are published upstream.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-46484 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Headplane. No manual configuration is needed to trigger the match.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each customer environment's configured compliance policy. Triage routing is available to direct the alert to the appropriate team inbox within the customer org based on image ownership and policy thresholds.

Available
Patch

Because no fix version has been published for CVE-2026-46484 at the time of this writing, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a confirmed fix version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Headplane web UI over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.

  • AuthenticationRequired

    A low-privilege account is sufficient; the vector specifies PR:L, meaning any valid OIDC-authenticated user can trigger the bypass without needing admin rights.

  • Victim interactionNot required

    No victim interaction is needed; the vector specifies UI:N, so the attacker acts entirely on their own without involving another user.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, timing dependencies, or environmental prerequisites.

Blast Radius

  • Renames any node or user in the Headscale instance, including nodes and users outside the attacker's own scope.
  • Expires any node, effectively evicting it from the Headscale network and disrupting connectivity for that peer.
  • Causes persistent configuration tampering since node and user renames are written to durable state in Headscale.
  • Denial of service is achievable by mass-expiring nodes, taking down VPN connectivity for all affected peers.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images as soon as it appears in upstream advisory feeds, with no published fix version yet available. For environments running affected Headplane versions (prior to 0.6.3, or 0.7.0-beta.1 through 0.7.0-beta.2), HarborGuard surfaces the finding under the HIGH severity tier and applies per-environment compliance policy weighting to route it appropriately. While no upstream patch exists, compensating controls worth evaluating include restricting network-policy ingress to the Headplane UI to known trusted source CIDRs, placing the UI behind a separate authentication proxy that enforces tighter role checks, and disabling rename and expiry operations at the network policy layer if they are not required for day-to-day operations. HarborGuard re-evaluates the advisory on every ingest cycle; once upstream publishes versions 0.6.3 or 0.7.0-beta.3 (or later), a patched-image rebuild becomes available, and for customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads are triggered automatically.

See how HarborGuard automates this
Affected packages
  • tale / headplane
    < 0.6.3 · >= 0.7.0-beta.1, < 0.7.0-beta.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
References