OS Command Injection Vulnerability in 9Router by Decolua
CVE-2026-59800
What is CVE-2026-59800?
9Router versions prior to 0.4.44 are susceptible to an OS command injection vulnerability, found in the unauthenticated POST /api/tunnel/tailscale-install endpoint. This endpoint lacks an authorization check due to it not being covered by the dashboard middleware matcher. As a result, the 'sudoPassword' field in the request body can be executed as a shell command. If the system is configured with NOPASSWD or if certain conditions regarding the sudo timestamp cache are met, a remote attacker can leverage this flaw to execute arbitrary OS commands with root privileges, posing a serious risk to system integrity. The first indication of exploitation was logged by the Shadowserver Foundation on July 4, 2026.
Affected Version(s)
9router 0 < 0.4.44
9router 0.4.44
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
