TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access
3 hours ago
- #security-vulnerability
- #privilege-escalation
- #denial-of-service
- A malformed HTTP request without a leading '/' could cause infinite CPU usage in Tailscale Serve/Funnel.
- Tailscale SSH allowed usernames with leading '-', enabling root access bypass on Linux via '-i' username.
- Both vulnerabilities are fixed in Tailscale version 1.98.9 or newer.
- Affected nodes running Serve/Funnel or SSH on versions before 1.98.9 require immediate upgrade.