Vulnerability-Lookup

TS-2026-002

Vulnerability from tailscale - Published: Wed, 13 May 2026 00:00:00 GMT

Description: ACL capability bypass in the Tailscale client's web interface

What happened?

The Tailscale client runs a local web interface to manage its settings. This web interface can optionally be opened to other tailnet peers, for example to manage a tagged node on a headless host without SSH access. By default the interface is read-only, but tailnet admins can grant permissions to change certain settings using ACL grants.

The /api/routes endpoint on the web interface allows changing the active exit node and advertised subnet routes. These settings are gated behind exitNodes and subnets grants respectively.

There was a bug in the handler that reset both settings to their empty state if the request body was empty, even if the caller doesn't have either grant to allow that.

This vulnerability is fixed in Tailscale version 1.98.0 and newer.

What was the impact?

A malicious tailnet node could disable the exit node and clear advertised subnet routes on other tailnet nodes that run the web interface. The malicious user would need to perform a login check and be granted access to port 5252 on the target node via tailnet ACLs.

Who was affected?

Linux, macOS, and Windows nodes running Tailscale between versions 1.56.0 and 1.98.0 and with the web interface explicitly enabled.

What do I need to do?

If you are using the web interface to manage remote nodes, update those nodes to version 1.98.0 or newer.

Credits

We would like to thank N0zoM1z0 for reporting this issue.

Show details on source website

JSON

To clipboard

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2026-002",
  "link": "https://tailscale.com/security-bulletins/#ts-2026-002",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2026-002",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Wed, 13 May 2026 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: ACL capability bypass in the Tailscale client\u0027s web interface\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe Tailscale client runs a \u003ca href=\"https://tailscale.com/docs/features/client/device-web-interface\"\u003elocal web interface\u003c/a\u003e to manage\nits settings. This web interface can optionally be opened to other tailnet\npeers, for example to manage a tagged node on a headless host without SSH\naccess. By default the interface is read-only, but tailnet admins can grant\npermissions to change certain settings using ACL grants.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003e/api/routes\u003c/code\u003e endpoint on the web interface allows changing the active\n\u003ca href=\"https://tailscale.com/docs/features/exit-nodes\"\u003eexit node\u003c/a\u003e and advertised \u003ca href=\"https://tailscale.com/docs/features/subnet-routers\"\u003esubnet routes\u003c/a\u003e.\nThese settings are gated behind \u003ccode\u003eexitNodes\u003c/code\u003e and \u003ccode\u003esubnets\u003c/code\u003e grants respectively.\u003c/p\u003e\n\u003cp\u003eThere was a bug in the handler that reset both settings to their empty state if\nthe request body was empty, even if the caller doesn\u0027t have either grant to\nallow that.\u003c/p\u003e\n\u003cp\u003eThis vulnerability is fixed in Tailscale version 1.98.0 and newer.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA malicious tailnet node could disable the exit node and clear advertised\nsubnet routes on other tailnet nodes that run the web interface. The malicious\nuser would need to perform a login check and be granted access to port \u003ccode\u003e5252\u003c/code\u003e\non the target node via tailnet ACLs.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eLinux, macOS, and Windows nodes running Tailscale between versions 1.56.0 and\n1.98.0 and with the web interface explicitly enabled.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you are using the web interface to manage remote nodes, update those nodes\nto version 1.98.0 or newer.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://github.com/N0zoM1z0\"\u003eN0zoM1z0\u003c/a\u003e for reporting\nthis issue.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: ACL capability bypass in the Tailscale client\u0027s web interface\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe Tailscale client runs a \u003ca href=\"https://tailscale.com/docs/features/client/device-web-interface\"\u003elocal web interface\u003c/a\u003e to manage\nits settings. This web interface can optionally be opened to other tailnet\npeers, for example to manage a tagged node on a headless host without SSH\naccess. By default the interface is read-only, but tailnet admins can grant\npermissions to change certain settings using ACL grants.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003e/api/routes\u003c/code\u003e endpoint on the web interface allows changing the active\n\u003ca href=\"https://tailscale.com/docs/features/exit-nodes\"\u003eexit node\u003c/a\u003e and advertised \u003ca href=\"https://tailscale.com/docs/features/subnet-routers\"\u003esubnet routes\u003c/a\u003e.\nThese settings are gated behind \u003ccode\u003eexitNodes\u003c/code\u003e and \u003ccode\u003esubnets\u003c/code\u003e grants respectively.\u003c/p\u003e\n\u003cp\u003eThere was a bug in the handler that reset both settings to their empty state if\nthe request body was empty, even if the caller doesn\u0027t have either grant to\nallow that.\u003c/p\u003e\n\u003cp\u003eThis vulnerability is fixed in Tailscale version 1.98.0 and newer.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA malicious tailnet node could disable the exit node and clear advertised\nsubnet routes on other tailnet nodes that run the web interface. The malicious\nuser would need to perform a login check and be granted access to port \u003ccode\u003e5252\u003c/code\u003e\non the target node via tailnet ACLs.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eLinux, macOS, and Windows nodes running Tailscale between versions 1.56.0 and\n1.98.0 and with the web interface explicitly enabled.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you are using the web interface to manage remote nodes, update those nodes\nto version 1.98.0 or newer.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://github.com/N0zoM1z0\"\u003eN0zoM1z0\u003c/a\u003e for reporting\nthis issue.\u003c/p\u003e"
  },
  "title": "TS-2026-002",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2026-002"
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted