Volerion logoVolerion
Volerion logoVolerion

Headplane Path Traversal and Authorization Bypass Vulnerability in Headscale API Client

Vulnerability

A path traversal vulnerability allowing authorization bypass has been identified in Headplane, a Web UI for Headscale. This issue affects versions through 0.6.2 and 0.7.0-beta.2. The vulnerability arises in the Headscale API client during node and user rename operations. It allows an authenticated user to manipulate API requests and access resources they are not authorized to manage, such as expiring or renaming nodes and users. This disruption can interfere with Tailnet connectivity and administrative processes.

Impact

Exploitation of this vulnerability allows a lower-privileged authenticated user to perform unauthorized actions on Tailnet resources, including expiring or renaming nodes and users. Such actions can disrupt Tailnet connectivity and interfere with administrative expectations and policies related to node or user names.

Remediation

Users should upgrade to Headplane version 0.6.3 or 0.7.0-beta.3, depending on their current version.

Added: Jun 8, 2026, 8:22 PM
Updated: Jun 8, 2026, 8:22 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
5.2
remediation
0.0
relevance
9.3
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.