CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59800

criticalCVSS 9.8covered by 2 sourcesfirst seen 2026-07-02
Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router (npm package) — current master (v0.4.39). Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches the handler without invoking dashboardGuard.proxy(). In deployments where the Node process runs as root (Docker images derived from node:* without a USER directive, npm i -g 9router invoked as root, or systemd units without User=), the spawned sh runs as root and executes the attacker-supplied bytes. Details 1. Middleware matcher (src/proxy.js:3-15) export const config = { matcher: [ "/", "/dashboard/:path*", "/api/shutdown", "/api/settings/:path*", "/api/keys", "/api/keys/:path*", "/api/providers/client", "/api/provider-nodes/validate", "/api/cli-tools/:path*", "/api/mcp/:path*", ], }; Next.js invokes the middleware only for paths matching this list. Routes that are not listed — including the entire /api/tunnel/* family — do not invoke dashboardGuard.proxy(). No cookie, JWT, CLI token, or Host-header check is applied to them. 2. Route handler (src/app/api/tunnel/tailscale-install/route.js:18-67) export async function POST(request) { const body = await request.json().catch(() => ({})); ... const sudoPassword = body.sudoPassword || getCachedPassword() || await loadEncryptedPassword() || ""; ... const result = await installTailscale(sudoPassword, shortId, (msg) => { send("progress", { message: msg }); }); ... } body.sudoPassword comes from the request body and is passed to installTailscale, which dispatches to installTailscaleLinux on Linux. 3. Linux installation routine (src/lib/tunnel/tailscale.js:304-341) async function installTailscaleLinux(sudoPassword, log) { log("Downloading install script..."); return new Promise((resolve, reject) => {

⚡ Watch CVE-2026-59800

Get an email if CVE-2026-59800 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-59800

CVE.org record

Embed the live status

CVE-2026-59800 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59800 status](https://www.csirts.com/badge/CVE-2026-59800)](https://www.csirts.com/cve/CVE-2026-59800)