Vulnerability  ·  2026-07-09

9Router OS Command Injection via Unauthenticated Tailscale-Install Endpoint

VulnerabilityHigh impactGlobalCVE-2026-59800
CVE-2026-59800 (CVSS 9.8 Critical), published July 7, 2026, is an OS command injection in 9Router's unauthenticated tailscale-install endpoint, with confirmed exploitation evidence observed by Shadowserver since July 4, 2026.
Although 9Router is a niche tool, it is used in some AI-dev tunnel/dashboard deployments, and confirmed in-the-wild exploitation of an unauthenticated CVSS 9.8 RCE warrants inclusion as a precise, actively-exploited catalogued vulnerability despite its narrow deployment footprint.
The unauthenticated POST /api/tunnel/tailscale-install endpoint is not covered by the dashboard's authorization middleware matcher; the sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process, so when sudo doesn't prompt for a password (root context, NOPASSWD, or cached timestamp), the value is interpreted as a shell command by sh, granting unauthenticated remote code execution.
9Router before 0.4.44
Upgrade to 9Router ≥0.4.44 per GHSA-g6g7-pvmx-m74p.
GitHub Security Advisory - GHSA-g6g7-pvmx-m74pOffSeq Threat Radar - CVE-2026-59800
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →