PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59800 decolua CVE debrief

The CVE record for CVE-2026-59800 was published on 2026-07-07T19:16:55.260Z and has not been modified since then. The NVD entry is currently available. This vulnerability is an OS command injection vulnerability in 9Router before 0.4.44, which exists in the unauthenticated POST /api/tunnel/tailscale-install endpoint. The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password, the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. The vulnerability has a high severity score and requires immediate attention from users of 9Router before version 0.4.44.

Vendor
decolua
Product
9router
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of 9Router before version 0.4.44 should apply the patch to prevent exploitation of this vulnerability. Additionally, administrators and security teams responsible for managing and securing 9Router deployments should review the vulnerability details and take necessary actions to mitigate the risk. This includes restricting access to the /api/tunnel/tailscale-install endpoint and monitoring for suspicious activity.

Technical summary

CVE-2026-59800 is an OS command injection vulnerability in 9Router before 0.4.44. The vulnerability exists in the unauthenticated POST /api/tunnel/tailscale-install endpoint. The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password, the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. The vulnerability has a CVSS score of 9.2 and a severity of CRITICAL.

Defensive priority

High

Recommended defensive actions

  • Apply the patch to upgrade 9Router to version 0.4.44 or later
  • Restrict access to the /api/tunnel/tailscale-install endpoint
  • Monitor for suspicious activity on the /api/tunnel/tailscale-install endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC). The evidence suggests that the vulnerability is being actively exploited in the wild. However, due to the limited information available, further verification is required to confirm the extent of the exploitation and the potential impact on affected systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T19:16:55.260Z and has not been modified since then.