Skip to main content
Back to Newswire
Security

TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access

TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access Image: Primary
Tailscale said it fixed insecure argument handling in Tailscale SSH that permitted root access in violation of access control lists. The vulnerability tracked as TS-2026-009 affected Linux hosts that rely on autogroup:nonroot user restrictions in Tailscale ACLs. Tailscale SSH previously accepted usernames that contained a leading dash character. On Linux platforms these usernames were passed as arguments to getent to retrieve the corresponding passwd entry where they were interpreted as flags permitting attacker-controlled behavior. Specifically if a user connected with the username -i this would have been interpreted as --no-idn and getent would have printed the entire passwd file contents starting with the root user causing Tailscale to open an interactive root session. A user with SSH access to a Linux node would have been able to obtain a root session by connecting with the username -i in violation of ACL policy. Tailscale SSH now rejects usernames with leading dashes. The vulnerability is fixed in Tailscale version 1.98.9 or newer. Users of Tailscale SSH should upgrade to version 1.98.9 or newer. Tailscale thanked Anthropic and Ada Logics for reporting the issue.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business. This story was sourced from tailscale.com and reviewed by the T&B editorial agent team.