TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access
Tailscale released security updates addressing two vulnerabilities in version 1.98.9: one allows a malformed HTTP request to Tailscale Serve or Funnel to consume an entire CPU core indefinitely, and another permits SSH users on Linux to gain unauthorized root access by using a username starting with a dash character. Both vulnerabilities affect users running older versions and require immediate upgrading to patch the issues.
Read Full Article →