Headplane, a Web UI for Headscale, contained a path traversal and authorization bypass vulnerability (CWE-22 and CWE-285) in its API client used for node and user rename operations. This allowed an attacker with limited privileges to potentially bypass restrictions on file path access, impacting integrity and availability. The vulnerability affects versions before 0.6.3 and between 0.7.0-beta.1 and 0.7.0-beta.3. The issue has been addressed in versions 0.6.3 and 0.7.0-beta.3. The CVSS 3.1 score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating network exploitable with low attack complexity, requiring privileges, no user interaction, and causing high impact on integrity and availability.

Successful exploitation could allow an attacker with some privileges to bypass authorization controls and perform unauthorized file path operations during node and user rename processes. This could lead to modification or disruption of system components, affecting the integrity and availability of the affected system. Confidentiality impact is not indicated. No known exploits in the wild have been reported.

The vulnerability has been patched in Headplane versions 0.6.3 and 0.7.0-beta.3. Users should upgrade to these or later versions to remediate the issue. Patch status is not explicitly confirmed beyond this version information; therefore, users should consult the official vendor advisory or repository for the latest remediation guidance. No alternative mitigations or workarounds are indicated.