Skip to main content

9Router CVE-2026-59800

| EUVDEUVD-2026-42073 CRITICAL
OS Command Injection (CWE-78)
2026-07-07 disclosure@vulncheck.com GHSA-g6g7-pvmx-m74p
9.2
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network, unauthenticated (PR:N/UI:N) with root-level C/I/A impact, but AC:H because execution requires the non-default sudo condition (root/NOPASSWD/cached timestamp); no scope change so S:U.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 20:01 EUVD
Analysis Generated
Jul 07, 2026 - 19:32 vuln.today

DescriptionCVE.org

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).

AnalysisAI

Remote unauthenticated OS command injection in 9Router before 0.4.44 lets attackers run arbitrary commands as root via the POST /api/tunnel/tailscale-install endpoint, which is excluded from the dashboard authorization middleware. The attacker-supplied sudoPassword field is piped to the stdin of a 'sudo -S sh' child process; when sudo does not prompt for a password, sh interprets that value as a shell command. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed 9Router API
Delivery
POST crafted sudoPassword to /api/tunnel/tailscale-install
Exploit
Bypass middleware, reach 'sudo -S sh'
Execution
sudo does not prompt, sh runs input as command
Impact
Execute arbitrary commands as root

Vulnerability AssessmentAI

Exploitation Exploitation requires reaching the unauthenticated POST /api/tunnel/tailscale-install endpoint over the network (this specific route is not covered by the dashboard middleware matcher, so no authentication is needed) and supplying a crafted sudoPassword body field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated CVSS number: the CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) describes network-reachable, low-complexity, unauthenticated exploitation with high confidentiality, integrity and availability impact, and code execution occurs as root. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning the internet for exposed 9Router dashboards sends a single crafted POST to /api/tunnel/tailscale-install with a sudoPassword body value containing shell metacharacters/commands. Because the route bypasses the dashboard authorization middleware and the underlying 'sudo -S sh' does not prompt (the service runs as root or has cached/NOPASSWD sudo), the injected string is executed by sh as root, giving full command execution with no authentication or user interaction. …
Remediation Upgrade to 9Router 0.4.44 or later - Vendor-released patch: 0.4.44 - per GitHub advisory GHSA-g6g7-pvmx-m74p (https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p) and the VulnCheck advisory (https://www.vulncheck.com/advisories/9router-os-command-injection-via-sudopassword-parameter-in-tailscale-install-endpoint). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all 9Router instances running versions 0.4.43 or earlier and implement emergency network access controls restricting access to the vulnerable POST /api/tunnel/tailscale-install endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy