{"id":"CVE-2026-46484","summary":"Headplane: Path Traversal + RBAC Bypass in renameNode allows authenticated OIDC users to expire or rename any node/user","details":"Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3.","aliases":["GHSA-vgj6-hcf2-fqf6"],"modified":"2026-07-15T01:49:05.763002073Z","published":"2026-06-08T19:09:47.079Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-22","CWE-285"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46484.json"},"references":[{"type":"WEB","url":"https://github.com/tale/headplane/releases/tag/v0.6.3"},{"type":"WEB","url":"https://github.com/tale/headplane/releases/tag/v0.7.0-beta.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46484.json"},{"type":"ADVISORY","url":"https://github.com/tale/headplane/security/advisories/GHSA-vgj6-hcf2-fqf6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46484"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tale/headplane","events":[{"introduced":"0"},{"introduced":"73b5d5514e16bf2f1b763b53c28f7e719da23440"},{"fixed":"623e7c03f12f6e46bd956feb48b154d380a21a7e"},{"fixed":"fb4b0b1404bcf30ee5d5639f01f36d45965ed320"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.6.3"},{"introduced":"0.7.0-beta.1"},{"fixed":"0.7.0-beta.3"}]}}],"versions":["v0.6.2","v0.7.0-beta.2","v0.7.0-beta.1","v0.6.2-beta.5","v0.6.2-beta.4","v0.6.2-beta.3","v0.6.2-beta.2","v0.6.2-beta.1","v0.6.1","v0.6.0","0.5.10","0.5.9","0.5.8","0.5.7","0.5.6","0.5.5","0.5.4","0.5.3","0.5.2","0.5.1","0.5.0","0.4.1","0.4.0","0.3.9","0.3.8","0.3.7","0.3.6","0.3.5","0.3.4","0.3.3","0.3.2","0.3.1","0.3.0","0.2.4","0.2.3","0.2.2","0.2.1","0.2.0","0.1.9","0.1.8","0.1.7","0.1.6","0.1.5","0.1.4","0.1.3","0.1.2","0.1.1","0.1.0","0.0.10","0.0.9","0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46484.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}]}