Being a big fan and user of Tailscale, I got this email and have been updating my agents accordingly.
Tailscale has recently been notified of security vulnerabilities in the Tailscale client which allow a malicious website visited by a device running Tailscale to change the Tailscale daemon configuration and access information in the Tailscale local and peer APIs.
See the security bulletins for further information.
There is no evidence of this vulnerability being purposefully triggered or exploited.
Am I affected?
Yes. Your tailnet has at least one Windows node running a version of Tailscale prior to v1.32.3. See the affected machines in your tailnet in the admin console.
What do I need to do?
Upgrade to v1.32.3 or later or v1.33.257 or later (unstable) to remediate the issue.
As I like to ensure this sort of information is shared – and Tailscale does not do it often – then the more news about it, the better.
Thank you, Tailscale 👍