CVE Catalog

CVE-2026-46484

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

13th percentile - higher than 13% of all known CVEs

Summary

Headplane, a feature-complete web UI for Headscale, was vulnerable to a path traversal and authorization bypass in the Headscale API client used for node and user rename operations prior to versions 0.6.3 and 0.7.0-beta.3. This issue has been patched in these versions.

Risk Assessment

Exploitation of this vulnerability could lead to unauthorized access to data or functions within the system, posing a significant security threat to the organization.

Recommendation

It is recommended to upgrade to versions 0.6.3 or 0.7.0-beta.3 to eliminate this vulnerability and secure the system against potential attacks.

Original NVD description (English source)

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS