Tailscale SSH vulnerability permits root access
A security vulnerability (TS-2026-009) in Tailscale SSH allowed attackers to gain unauthorized root access on Linux platforms due to insecure handling of usernames with leading dashes. The issue occurred because usernames starting with a dash were passed directly to the getent utility and interpreted as command-line flags, which Tailscale has now fixed by prohibiting such usernames.
Allowing unsanitized, user-provided inputs to interface directly with low-level system binaries remains a common vector for argument injection, proving that even security-focused infrastructure platforms must enforce strict validation at boundaries. Specifically, passing unsanitized input to utility commands like getent allows options and flags to be injected to alter the execution flow. This flaw permitted users to bypass configured access control list restrictions to gain root shell access on the target node. Ultimately, while remediating the vulnerability is as simple as disallowing leading dashes in usernames, it highlights the constant necessity of robust input filtering at all boundaries.
DISCOVERED
1d ago
2026-07-15
PUBLISHED
1d ago
2026-07-15
RELEVANCE
AUTHOR
jervant