ts-2025-005
Vulnerability from tailscale

Description: Logging of MDM-provided auth keys

What happened?

A change in Tailscale version 1.84.0 on macOS and iOS caused all MDM-provided configuration values to be logged and uploaded to the Tailscale log server. One of the possible MDM values is an auth key used to automatically register the node. This resulted in the Tailscale log server storing user auth keys along with other client logs.

The logs collected by the Tailscale log server are only accessible to Tailscale employees, so no auth keys were leaked to potential attackers.

Tailscale version 1.86.4 redacts the auth key, and other textual values, before logging them.

What was the impact?

MDM-provisioned auth keys were uploaded to the Tailscale log server. No keys have leaked outside of Tailscale infrastructure. Auth keys provided on the CLI or using environment variables were never logged.

The impact depends on the type of auth key used:

  • One-off auth keys are used and invalidated when the node is registered; there is no risk to your tailnet
  • Reusable auth keys could be used again to register nodes if stolen
  • Pre-signed auth keys for Tailnet Lock are like reusable auth keys, but can also register nodes that don't need to be signed by another signing node in the tailnet

Who was affected?

Customers using MDM to distribute auth keys, with macOS and iOS clients running Tailscale versions between 1.84.0 and 1.86.2, are affected.

What do I need to do?

If you don't use MDM to distribute auth keys to your devices, no action is needed.

If you do distribute auth keys with MDM, upgrade all macOS and iOS nodes to Tailscale version 1.86.4 or later. Additionally, if you distribute reusable auth keys, or pre-signed auth keys for Tailnet Lock, we recommend that you rotate these keys.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2025-005",
  "link": "https://tailscale.com/security-bulletins/#ts-2025-005",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2025-005",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Thu, 07 Aug 2025 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Logging of MDM-provided auth keys\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eA change in Tailscale version 1.84.0 on macOS and iOS caused all\n\u003ca href=\"https://tailscale.com/kb/1315/mdm-keys\"\u003eMDM-provided\u003c/a\u003e configuration values to be logged and uploaded to the\nTailscale \u003ca href=\"https://tailscale.com/kb/1011/log-mesh-traffic#client-logs\"\u003elog server\u003c/a\u003e. One of the possible MDM values is an \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-an-auth-key\"\u003eauth\nkey\u003c/a\u003e used to automatically register the node. This resulted in\nthe Tailscale log server storing user \u003ca href=\"https://tailscale.com/kb/1085/auth-keys\"\u003eauth keys\u003c/a\u003e along with\nother client logs.\u003c/p\u003e\n\u003cp\u003eThe logs collected by the Tailscale log server are only accessible to Tailscale\nemployees, so no auth keys were leaked to potential attackers.\u003c/p\u003e\n\u003cp\u003eTailscale version 1.86.4 redacts the auth key, and other textual values, before logging\nthem.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eMDM-provisioned auth keys were uploaded to the Tailscale log server. No keys\nhave leaked outside of Tailscale infrastructure. Auth keys provided on the CLI\nor using environment variables were never logged.\u003c/p\u003e\n\u003cp\u003eThe impact depends on the \u003ca href=\"https://tailscale.com/kb/1085/auth-keys#types-of-auth-keys\"\u003etype of auth key\u003c/a\u003e used:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eOne-off auth keys are used and invalidated when the node is registered; there\nis no risk to your tailnet\u003c/li\u003e\n\u003cli\u003eReusable auth keys could be used again to register nodes if stolen\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://tailscale.com/kb/1226/tailnet-lock#add-a-node-using-a-pre-signed-auth-key\"\u003ePre-signed auth keys for Tailnet Lock\u003c/a\u003e are\nlike reusable auth keys, but can also register nodes that don\u0027t need to be\nsigned by another signing node in the tailnet\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eCustomers using \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-an-auth-key\"\u003eMDM to distribute auth keys\u003c/a\u003e, with macOS and\niOS clients running Tailscale versions between 1.84.0 and 1.86.2, are affected.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you don\u0027t use MDM to distribute auth keys to your devices, no action is\nneeded.\u003c/p\u003e\n\u003cp\u003eIf you do distribute auth keys with MDM, upgrade all macOS and iOS nodes to\nTailscale version 1.86.4 or later. Additionally, if you distribute reusable auth keys,\nor pre-signed auth keys for Tailnet Lock, we recommend that you rotate these\nkeys.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Logging of MDM-provided auth keys\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eA change in Tailscale version 1.84.0 on macOS and iOS caused all\n\u003ca href=\"https://tailscale.com/kb/1315/mdm-keys\"\u003eMDM-provided\u003c/a\u003e configuration values to be logged and uploaded to the\nTailscale \u003ca href=\"https://tailscale.com/kb/1011/log-mesh-traffic#client-logs\"\u003elog server\u003c/a\u003e. One of the possible MDM values is an \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-an-auth-key\"\u003eauth\nkey\u003c/a\u003e used to automatically register the node. This resulted in\nthe Tailscale log server storing user \u003ca href=\"https://tailscale.com/kb/1085/auth-keys\"\u003eauth keys\u003c/a\u003e along with\nother client logs.\u003c/p\u003e\n\u003cp\u003eThe logs collected by the Tailscale log server are only accessible to Tailscale\nemployees, so no auth keys were leaked to potential attackers.\u003c/p\u003e\n\u003cp\u003eTailscale version 1.86.4 redacts the auth key, and other textual values, before logging\nthem.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eMDM-provisioned auth keys were uploaded to the Tailscale log server. No keys\nhave leaked outside of Tailscale infrastructure. Auth keys provided on the CLI\nor using environment variables were never logged.\u003c/p\u003e\n\u003cp\u003eThe impact depends on the \u003ca href=\"https://tailscale.com/kb/1085/auth-keys#types-of-auth-keys\"\u003etype of auth key\u003c/a\u003e used:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eOne-off auth keys are used and invalidated when the node is registered; there\nis no risk to your tailnet\u003c/li\u003e\n\u003cli\u003eReusable auth keys could be used again to register nodes if stolen\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://tailscale.com/kb/1226/tailnet-lock#add-a-node-using-a-pre-signed-auth-key\"\u003ePre-signed auth keys for Tailnet Lock\u003c/a\u003e are\nlike reusable auth keys, but can also register nodes that don\u0027t need to be\nsigned by another signing node in the tailnet\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eCustomers using \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-an-auth-key\"\u003eMDM to distribute auth keys\u003c/a\u003e, with macOS and\niOS clients running Tailscale versions between 1.84.0 and 1.86.2, are affected.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you don\u0027t use MDM to distribute auth keys to your devices, no action is\nneeded.\u003c/p\u003e\n\u003cp\u003eIf you do distribute auth keys with MDM, upgrade all macOS and iOS nodes to\nTailscale version 1.86.4 or later. Additionally, if you distribute reusable auth keys,\nor pre-signed auth keys for Tailnet Lock, we recommend that you rotate these\nkeys.\u003c/p\u003e"
  },
  "title": "TS-2025-005",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2025-005"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.