PatchSiren cyber security CVE debrief
CVE-2026-59800 decolua CVE debrief
The CVE record for CVE-2026-59800 was published on 2026-07-07T19:16:55.260Z and has not been modified since then. The NVD entry is currently available. This vulnerability is an OS command injection vulnerability in 9Router before 0.4.44, which exists in the unauthenticated POST /api/tunnel/tailscale-install endpoint. The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password, the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. The vulnerability has a high severity score and requires immediate attention from users of 9Router before version 0.4.44.
- Vendor
- decolua
- Product
- 9router
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of 9Router before version 0.4.44 should apply the patch to prevent exploitation of this vulnerability. Additionally, administrators and security teams responsible for managing and securing 9Router deployments should review the vulnerability details and take necessary actions to mitigate the risk. This includes restricting access to the /api/tunnel/tailscale-install endpoint and monitoring for suspicious activity.
Technical summary
CVE-2026-59800 is an OS command injection vulnerability in 9Router before 0.4.44. The vulnerability exists in the unauthenticated POST /api/tunnel/tailscale-install endpoint. The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password, the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. The vulnerability has a CVSS score of 9.2 and a severity of CRITICAL.
Defensive priority
High
Recommended defensive actions
- Apply the patch to upgrade 9Router to version 0.4.44 or later
- Restrict access to the /api/tunnel/tailscale-install endpoint
- Monitor for suspicious activity on the /api/tunnel/tailscale-install endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC). The evidence suggests that the vulnerability is being actively exploited in the wild. However, due to the limited information available, further verification is required to confirm the extent of the exploitation and the potential impact on affected systems.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T19:16:55.260Z and has not been modified since then.