Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user
CVE-2026-46484

8.1HIGH

Key Information:

Vendor: Tale
Status: Headplane
Vendor: CVE Published:; 8 June 2026

🔔 Create Tale Vulnerability Alert

What is CVE-2026-46484?

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.

Affected Version(s)

headplane < 0.6.3 < 0.6.3

headplane >= 0.7.0-beta.1, < 0.7.0-beta.3 < 0.7.0-beta.1, 0.7.0-beta.3

References

https://github.com/tale/headplane/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/tale/headplane/releases/tag/v0.6.3

x_refsource_MISC

https://github.com/tale/headplane/releases/tag/v0.7.0-beta.3

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46484 Data

.