TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access
jervant
101 points
42 comments
July 15, 2026
Related Discussions
Found 5 related stories in 787.3ms across 14,015 title embeddings via pgvector HNSW
- CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root askl · 118 pts · March 18, 2026 · 55% similar
- CVE-2026-42511 Breakdown: RCE in FreeBSD mmsc · 14 pts · May 07, 2026 · 54% similar
- CVE-2026-31431: Copy Fail vs. rootless containers averi · 59 pts · May 05, 2026 · 54% similar
- TPM-Sniffing LUKS Keys on an Embedded Linux Device [CVE-2026-0714] Tiberium · 19 pts · March 01, 2026 · 51% similar
- Incident CVE-2026-LGTM mooreds · 529 pts · June 26, 2026 · 51% similar
Discussion Highlights (11 comments)
tptacek
This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to. (If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)
e40
So, giving access via tailscale but using OpenSSH is safe, right?
kbumsik
Why own numbering instead of CVE?
cyberax
> "Tailscale SSH now rejects usernames with leading dashes." Really? That's the fix? A proper fix is to use "--" to separate arguments.
doublepg23
I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature. I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.
modeless
Tailscale SSH has caused me other problems in the past because it takes over port 22. I'm not a fan.
drnick1
I'll stick to my 100% self-hosted Wireguard setup, thank you very much.
luciana1u
tailscale ssh: replacing a 25-year-old battle-tested codebase with a startup's Go rewrite and then acting surprised when it has bugs
mintflow
>>> We would like to thank Anthropic and Ada Logics for reporting this issue. it seems anthropic also use tailscale or it's just being discovered by the mythos model?
mintflow
pure logic error, the undergoing tailscale rust rewrite can't help this too:)
farfatched
Sadly, yet another path to root via Tailscale. If their scope grows, and they run so much as root, it won't be their last.