CVE-2026-59800
Unauthenticated RCE via /api/tunnel/tailscale-install
Affected: 9router (npm package) — current master (v0.4.39).
Summary
POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches the handler without invoking dashboardGuard.proxy(). In deployments where the Node process runs as root (Docker images derived from node:* without a USER directive, npm i -g 9router invoked as root, or systemd units without User=), the spawned sh runs as root and executes the attacker-supplied bytes.
Details
1. Middleware matcher (src/proxy.js:3-15)
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
"/api/cli-tools/:path*",
"/api/mcp/:path*",
],
};
Next.js invokes the middleware only for paths matching this list. Routes that are not listed — including the entire /api/tunnel/* family — do not invoke dashboardGuard.proxy(). No cookie, JWT, CLI token, or Host-header check is applied to them.
2. Route handler (src/app/api/tunnel/tailscale-install/route.js:18-67)
export async function POST(request) {
const body = await request.json().catch(() => ({}));
...
const sudoPassword =
body.sudoPassword || getCachedPassword() || await loadEncryptedPassword() || "";
...
const result = await installTailscale(sudoPassword, shortId, (msg) => {
send("progress", { message: msg });
});
...
}
body.sudoPassword comes from the request body and is passed to installTailscale, which dispatches to installTailscaleLinux on Linux.
3. Linux installation routine (src/lib/tunnel/tailscale.js:304-341)
async function installTailscaleLinux(sudoPassword, log) {
log("Downloading install script...");
return new Promise((resolve, reject) => {
⚡ Watch CVE-2026-59800
Get an email if CVE-2026-59800 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Moderate exploitation risk1.4% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 69% of all EPSS-scored CVEs.
Advisory coverage (2)
- criticalCVE-2026-59800: 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated PO…nvd · 2026-07-07
- criticalGHSA-g6g7-pvmx-m74p: 9router: Missing Authorization and OS Command Injectionghsa · 2026-07-02
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-59800)