CVE-2026-59800 Overview
CVE-2026-59800 is an OS command injection vulnerability [CWE-78] in 9Router versions before 0.4.44. The flaw resides in the unauthenticated POST /api/tunnel/tailscale-install endpoint, which is excluded from the dashboard middleware matcher. As a result, no authorization check is enforced on the route. The sudoPassword field from the request body is piped to the standard input of a sudo -S sh child process. When sudo does not prompt for a password, sh interprets the supplied value as a shell command. A remote unauthenticated attacker can execute arbitrary operating system commands on the host.
Critical Impact
Remote unauthenticated attackers can execute arbitrary OS commands on affected 9Router hosts, leading to full system compromise.
Affected Products
- 9Router versions prior to 0.4.44
- Deployments running as root or with NOPASSWD sudo configured
- Hosts with a recent sudo timestamp cache active for the service account
Discovery Timeline
- 2026-07-04 - Exploitation activity first observed by the Shadowserver Foundation
- 2026-07-07 - CVE-2026-59800 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-59800
Vulnerability Analysis
The defect combines two design mistakes in 9Router. First, the POST /api/tunnel/tailscale-install route is not covered by the dashboard middleware matcher that enforces authentication. Any network-reachable client can invoke the endpoint without credentials. Second, the handler forwards user-controlled input directly to a privileged shell.
The handler spawns a sudo -S sh child process. It writes the JSON sudoPassword field to that process's standard input. sudo -S reads the first line of stdin as the password. Any additional stdin content is passed through to sh, which parses it as shell commands. When sudo does not require a password, the value intended as a password is treated entirely as a command to sh.
Exploitation succeeds under three conditions: the 9Router process runs as root, the invoking user has NOPASSWD configured, or a valid sudo timestamp cache exists. The Shadowserver Foundation observed exploitation attempts in the wild starting 2026-07-04 (UTC).
Root Cause
The route matcher configuration omits /api/tunnel/tailscale-install from authentication checks. The install handler treats the sudoPassword parameter as an opaque credential and streams it into a privileged shell without sanitization, validation, or command boundary enforcement.
Attack Vector
Exploitation requires only network reachability to the 9Router management interface. An attacker sends a crafted HTTP POST request containing shell metacharacters or full command payloads in the sudoPassword JSON field. When sudo skips its password prompt, sh executes the payload with the privileges of the 9Router process, typically root.
The vulnerability mechanism is described in the GitHub Security Advisory and the VulnCheck Advisory on 9router. No verified proof-of-concept code is republished here.
Detection Methods for CVE-2026-59800
Indicators of Compromise
- HTTP POST requests to /api/tunnel/tailscale-install from unexpected source addresses or without prior authenticated session context.
- Request bodies where the sudoPassword JSON field contains shell metacharacters such as ;, &&, |, backticks, or $( ).
- Unexpected child processes of the 9Router service, particularly sh, sudo, curl, wget, or shells spawning network utilities.
- New cron entries, SSH keys, or systemd units created shortly after requests to the vulnerable endpoint.
Detection Strategies
- Deploy web server or reverse proxy logging that captures request bodies for /api/tunnel/* routes and alerts on shell metacharacters in JSON fields.
- Correlate inbound HTTP requests to the endpoint with process creation events on the host to identify command execution chained from the API call.
- Hunt for anomalous child processes descending from the 9Router service binary, especially interactive shells or reverse-shell tooling.
Monitoring Recommendations
- Alert on any invocation of /api/tunnel/tailscale-install on 9Router versions prior to 0.4.44.
- Monitor /var/log/auth.log and sudo logs for unexpected non-interactive sudo -S sh invocations.
- Track outbound network connections originating from the 9Router host to unknown destinations following API activity.
How to Mitigate CVE-2026-59800
Immediate Actions Required
- Upgrade 9Router to version 0.4.44 or later on all deployments.
- Restrict network exposure of the 9Router management interface to trusted administrative networks only.
- Audit the underlying host for signs of prior exploitation, including new user accounts, SSH keys, and scheduled tasks.
- Rotate credentials, tokens, and keys accessible from any host that ran a vulnerable 9Router version.
Patch Information
Upgrade to 9Router 0.4.44 or later. The fix is described in the GitHub Security Advisory GHSA-g6g7-pvmx-m74p. The patched release adds the tailscale-install route to the authenticated middleware matcher and eliminates the unsafe stdin passthrough to sudo -S sh.
Workarounds
- Block external access to /api/tunnel/tailscale-install at a reverse proxy or firewall until patching is complete.
- Run the 9Router service under a dedicated unprivileged account without NOPASSWD sudo rights.
- Clear existing sudo timestamp caches for the service account and set Defaults timestamp_timeout=0 in /etc/sudoers to force password prompts.
# Configuration example: block the vulnerable endpoint at nginx until upgrade
location = /api/tunnel/tailscale-install {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

