From 7d3e7a28e230cd70645297cd28db068445909472 Mon Sep 17 00:00:00 2001
From: Mustafa Enes Batur <40495733+Thifhi@users.noreply.github.com>
Date: Fri, 6 Jun 2025 12:14:11 +0200
Subject: [PATCH] Fix `/machine/map` endpoint vulnerability (#2642)

* Improve map auth logic

* Bugfix

* Add comment, improve error message

* noise: make func, get by node

this commit splits the additional validation into a
separate function so it can be reused if we add more
endpoints in the future.

It swaps the check, so we still look up by NodeKey, but before
accepting the connection, we validate the known machinekey from
the db against the noise connection.

The reason for this is that when a node logs in or out, the node key
is replaced and it will no longer be possible to look it up, breaking
reauthentication.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 CHANGELOG.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2bac683b..5366b62a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,12 @@
 # CHANGELOG
 
-## Next
+## 0.26.1 (2025-06-06)
+
+### Changes
+
+- Ensure nodes are matching both node key and machine key
+  when connecting.
+  [#2642](https://github.com/juanfont/headscale/pull/2642)
 
 ### Database integrity improvements