Nixpkgs security tracker
NIXPKGS-2026-1887
GitHub issue
published 10 hours ago
Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user
Permalink
CVE-2026-46484
8.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored package headplane-agent
- @LeSuisse accepted
- @LeSuisse published on GitHub
Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user
Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.
References
-
https://github.com/tale/headplane/security/advisories/GHSA-vgj6-hcf2-fqf6 x_refsource_CONFIRM
-
https://github.com/tale/headplane/releases/tag/v0.6.3 x_refsource_MISC
-
https://github.com/tale/headplane/releases/tag/v0.7.0-beta.3 x_refsource_MISC
Affected products
headplane
- ==< 0.6.3
- ==>= 0.7.0-beta.1, < 0.7.0-beta.3
Matching in nixpkgs
Package maintainers
-
@igor-ramazanov Igor Ramazanov <personal@igorramazanov.tech>
-
@StealthBadger747 Erik Parawell <parawell.erik@gmail.com>