OS Command Injection Vulnerability in 9Router by Decolua
CVE-2026-59800

9.2CRITICAL

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-59800?

9Router versions prior to 0.4.44 are susceptible to an OS command injection vulnerability, found in the unauthenticated POST /api/tunnel/tailscale-install endpoint. This endpoint lacks an authorization check due to it not being covered by the dashboard middleware matcher. As a result, the 'sudoPassword' field in the request body can be executed as a shell command. If the system is configured with NOPASSWD or if certain conditions regarding the sudo timestamp cache are met, a remote attacker can leverage this flaw to execute arbitrary OS commands with root privileges, posing a serious risk to system integrity. The first indication of exploitation was logged by the Shadowserver Foundation on July 4, 2026.

Affected Version(s)

9router 0 < 0.4.44

9router 0.4.44

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vũ Chí Thành (@vcth4nh)
Huỳnh Đức Tin (@Ductinn)
.