CVE-2026-59800: 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-i
Summary
9Router versions before 0.4.44 have a critical vulnerability where an unauthenticated attacker can execute arbitrary OS commands through the /api/tunnel/tailscale-install endpoint. The vulnerability exists because the sudoPassword field from user input is passed directly to a shell command without proper validation, and the endpoint lacks authorization checks (middleware matcher protection). An attacker can exploit this when sudo doesn't prompt for a password, such as when the process runs as root or NOPASSWD is configured.
Solution / Mitigation
Update 9Router to version 0.4.44 or later.
Vulnerability Details
9.8(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
network
low
none
none
July 7, 2026
Classification
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-59800
First tracked: July 7, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 45%