CVE-2026-59800
Received Received - Intake

OS Command Injection in 9Router

Vulnerability report for CVE-2026-59800, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59800 is a critical OS command injection vulnerability in 9Router versions before 0.4.44. It exists in the unauthenticated POST endpoint /api/tunnel/tailscale-install, where the sudoPassword parameter from the request body is passed directly to a 'sudo -S sh' child process without proper sanitization or authorization checks.

If sudo is configured to not prompt for a password (due to running as root, NOPASSWD settings, or cached credentials), the sudoPassword value is interpreted as a shell command by sh. This allows a remote unauthenticated attacker to execute arbitrary operating system commands on the host.

The vulnerability was first observed exploited in the wild by the Shadowserver Foundation on July 4, 2026.

Impact Analysis

This vulnerability allows remote unauthenticated attackers to execute arbitrary OS commands with root privileges on affected 9Router installations.

  • Attackers can gain full control over the affected system, potentially leading to data theft, system compromise, or disruption of services.
  • Systems running 9Router as root or with sudo NOPASSWD privileges are especially at risk.
  • Exploitation can lead to severe impacts on confidentiality, integrity, and availability of the system.
Detection Guidance

This vulnerability can be detected by checking if your 9Router installation is running a vulnerable version (before 0.4.44) and if the /api/tunnel/tailscale-install endpoint is accessible without authentication.

You can attempt to detect exploitation by monitoring for unusual POST requests to the /api/tunnel/tailscale-install endpoint containing the sudoPassword field.

A practical detection method is to send a crafted unauthenticated POST request with a benign command in the sudoPassword field to see if it executes. For example, sending a payload like {"sudoPassword": "id > /tmp/pwned.txt; exit 0"} and then checking if the file /tmp/pwned.txt is created on the system.

  • Use curl to send a test POST request: curl -X POST http://<target-ip>/api/tunnel/tailscale-install -H 'Content-Type: application/json' -d '{"sudoPassword":"id > /tmp/pwned.txt; exit 0"}'
  • Check for the presence of the file created by the test command: ls -l /tmp/pwned.txt
  • Monitor network traffic or logs for unauthenticated POST requests to /api/tunnel/tailscale-install.
Mitigation Strategies

The immediate mitigation step is to upgrade 9Router to version 0.4.44 or later, where this vulnerability is patched.

If upgrading is not immediately possible, restrict access to the /api/tunnel/tailscale-install endpoint to trusted users or networks to prevent unauthenticated access.

Review and adjust sudo configurations to avoid NOPASSWD settings for the user running 9Router, reducing the risk of command injection via sudoPassword.

Run 9Router under a non-root user context, for example by configuring Docker containers with a USER directive or systemd units with a User= directive, to limit the impact of potential exploitation.

Compliance Impact

CVE-2026-59800 allows remote unauthenticated attackers to execute arbitrary OS commands as root due to an OS command injection vulnerability in 9Router. This can lead to unauthorized access, data breaches, and system compromise.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Specifically, exploitation of this vulnerability could result in exposure or alteration of personal or protected health information, violating confidentiality and integrity requirements mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart