TS-2026-003
Vulnerability from tailscale - Published: Fri, 29 May 2026 00:00:00 GMT
Description: OAuth access tokens recorded in tailnet audit logs.
What happened?
The Tailscale coordination server emits an audit log recording all changes to a tailnet's configuration including the creation and management of access credentials.
A bug in the Tailscale coordination server caused it to record the complete OAuth client access tokens within the audit log entries that describe their creation. This made the OAuth access tokens accessible to other tailnet actors who had access to the logs.
What was the impact?
A tailnet admin with access to audit logs would have been able to retrieve OAuth access tokens from the logs and use them to make authorized requests to the Tailscale API within the token's one hour validity window.
Who was affected?
All tailnets that used OAuth Clients to create access tokens from March 1st, 2026 to May 29th, 2026 are impacted.
What do I need to do?
There is no action necessary on the part of customers. New access tokens are now recorded in a redacted form in the audit log. Access tokens are created with a maximum valid lifetime of one hour so all historical tokens have already expired.
Show details on source website{
"guidislink": false,
"id": "https://tailscale.com/security-bulletins/#ts-2026-003",
"link": "https://tailscale.com/security-bulletins/#ts-2026-003",
"links": [
{
"href": "https://tailscale.com/security-bulletins/#ts-2026-003",
"rel": "alternate",
"type": "text/html"
}
],
"published": "Fri, 29 May 2026 00:00:00 GMT",
"summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: OAuth access tokens recorded in tailnet audit logs.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe Tailscale coordination server emits an \u003ca href=\"https://tailscale.com/docs/features/logging/audit-logging\"\u003eaudit log\u003c/a\u003e recording all changes to a tailnet\u0027s configuration including the creation and management of access credentials.\u003c/p\u003e\n\u003cp\u003eA bug in the Tailscale coordination server caused it to record the complete \u003ca href=\"https://tailscale.com/docs/features/oauth-clients\"\u003eOAuth client access tokens\u003c/a\u003e within the audit log entries that describe their creation. This made the OAuth access tokens accessible to other tailnet actors who had access to the logs.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA tailnet admin with access to audit logs would have been able to retrieve OAuth access tokens from the logs and use them to make authorized requests to the Tailscale API within the token\u0027s one hour validity window.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAll tailnets that used OAuth Clients to create access tokens from March 1st, 2026 to May 29th, 2026 are impacted.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eThere is no action necessary on the part of customers. New access tokens are now recorded in a redacted form in the audit log. Access tokens are created with a maximum valid lifetime of one hour so all historical tokens have already expired.\u003c/p\u003e",
"summary_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: OAuth access tokens recorded in tailnet audit logs.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe Tailscale coordination server emits an \u003ca href=\"https://tailscale.com/docs/features/logging/audit-logging\"\u003eaudit log\u003c/a\u003e recording all changes to a tailnet\u0027s configuration including the creation and management of access credentials.\u003c/p\u003e\n\u003cp\u003eA bug in the Tailscale coordination server caused it to record the complete \u003ca href=\"https://tailscale.com/docs/features/oauth-clients\"\u003eOAuth client access tokens\u003c/a\u003e within the audit log entries that describe their creation. This made the OAuth access tokens accessible to other tailnet actors who had access to the logs.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA tailnet admin with access to audit logs would have been able to retrieve OAuth access tokens from the logs and use them to make authorized requests to the Tailscale API within the token\u0027s one hour validity window.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAll tailnets that used OAuth Clients to create access tokens from March 1st, 2026 to May 29th, 2026 are impacted.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eThere is no action necessary on the part of customers. New access tokens are now recorded in a redacted form in the audit log. Access tokens are created with a maximum valid lifetime of one hour so all historical tokens have already expired.\u003c/p\u003e"
},
"title": "TS-2026-003",
"title_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/plain",
"value": "TS-2026-003"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…