Vulnerability  ·  2026-07-08

9Router — Unauthenticated OS Command Injection via sudoPassword in Tailscale-Install Endpoint

VulnerabilityHigh impactGlobalCVE-2026-59800
9Router, a self-hosted router/gateway management tool, shipped an installation endpoint that bypassed its own authorization middleware and injected user-controlled input directly into a shell command (CVSS 9.8).
While 9Router itself is a niche network-management tool rather than core AI infrastructure, it is included here for completeness per the seed; blast radius is narrow and limited to self-hosted 9Router deployments — kept as a low-priority catalogued entry rather than a primary AI-ecosystem finding.
The unauthenticated POST /api/tunnel/tailscale-install endpoint is not covered by the dashboard's authorization middleware matcher; the sudoPassword field from the request body is written unsanitized to a shell command, allowing arbitrary OS command injection with no authentication.
9Router, versions before 0.4.44
Upgrade to 9Router >= 0.4.44.
VulnCheck Advisory - 9Router OS Command InjectionNVD - CVE-2026-59800
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →