PatchSiren cyber security CVE debrief
CVE-2026-46484 tale CVE debrief
A path traversal and authorization bypass vulnerability was discovered in Headplane, a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, the Headscale API client used by node and user rename operations was vulnerable. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.
- Vendor
- tale
- Product
- headplane
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Headplane prior to versions 0.6.3 and 0.7.0-beta.3 should apply the patches to prevent exploitation of this vulnerability.
Technical summary
The vulnerability, tracked as CVE-2026-46484, allows for path traversal and authorization bypass in the Headscale API client used by node and user rename operations. The CVSS score for this vulnerability is 8.1, indicating a high severity.
Defensive priority
High
Recommended defensive actions
- Apply patches in versions 0.6.3 and 0.7.0-beta.3 or later.
- Review and update Headplane installations to ensure they are running a patched version.
Evidence notes
The CVE-2026-46484 vulnerability was patched in Headplane versions 0.6.3 and 0.7.0-beta.3. Users can find more information at resourceLinkAnnotations with id: ref-4, ref-5, and ref-6.
Official resources
CVE-2026-46484 was published on 2026-06-08T20:17:01.437Z and modified on 2026-06-09T15:25:56.860Z.