CVE-2026-46484

high

Description

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.

References

https://github.com/tale/headplane/security/advisories/GHSA-vgj6-hcf2-fqf6

https://github.com/tale/headplane/releases/tag/v0.7.0-beta.3

https://github.com/tale/headplane/releases/tag/v0.6.3

Details

Source: Mitre, NVD

Published: 2026-06-08

Updated: 2026-06-09

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Severity: High

EPSS

EPSS: 0.00041