Emily Trau

**Name of the Vulnerable Software and Affected Versions** Tailscale Windows client versions prior to v1.32.3 **Description** A vulnerability in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, enabling remote code execution. The local API was bound to a local TCP socket and communicated with the Windows client GUI in cleartext with no Host header verification, allowing an attacker-controlled website to rebind DNS to an attacker-controlled DNS server and make local API requests. This can lead to an attacker-controlled coordination server sending malicious URL responses, including pushing executables or installing an SMB share, which allows remote code execution on the node. **Recommendations** If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.

**Name of the Vulnerable Software and Affected Versions** Tailscale client versions prior to v1.32.3 **Description** A vulnerability in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. The peer API was vulnerable to DNS rebinding, allowing an attacker-controlled website to rebind DNS for the peer API to an attacker-controlled DNS server and make peer API requests in the client. This access can be used to read the node’s environment variables, including any credentials or secrets stored in environment variables, such as Tailscale authentication keys. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. There is no evidence of this vulnerability being purposefully triggered or exploited. **Recommendations** Upgrade to v1.32.3 or later to remediate the issue. As a temporary workaround, consider restricting access to the peer API until a patch is available. Avoid using the Tailscale client until the issue is resolved. If you have any questions or comments about this advisory, contact Tailscale support.