Skip to content
Verified reproduction

CVE-2026-59800: 9router before 0.4.44 allows unauthenticated remote OS command execution via the /api/tunnel/tailscale-install endpoint by injecting shell commands in the sudoPassword field when sudo does not prompt for a password.

CVE-2026-59800 is verified against 9router (npm) · npm affected versions: < 0.4.44 (advisory states <= v0.4.39) fixed version: 0.4.44 (GitHub advisory page); OSV lists 0.4.45 as fixed range vulnerability class: Command Injection This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00270.

REPRO-2026-00270 9router (npm) · npm Command Injection Variant found Jul 8, 2026 .txt
Severity CRITICAL
Confidence MEDIUM
Reproduced in 45m 53s
Tool calls 382
Spend $12.03
Affected < 0.4.44 (advisory states <= v0.4.39)
Fixed in 0.4.44 (GitHub advisory page); OSV lists 0.4.45 as fixed range
$ pruva-verify REPRO-2026-00270
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00270/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

An unauthenticated POST to /api/tunnel/tailscale-install in 9router (<0.4.44) can trigger OS command injection. The endpoint is not covered by the dashboard middleware matcher, so no authorization checks are applied. The sudoPassword field is written to stdin of a sudo -S sh child process; if sudo does not prompt for a password (running as root, NOPASSWD configured, or a recent sudo timestamp), the value is interpreted by sh as shell input, enabling arbitrary command execution.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json26.9 KB
bundle/artifact_promotion_report.json37.0 KB
bundle/vuln_variant/root_cause_equivalence.json0.9 KB
bundle/repro/reproduction_steps.sh20.7 KB
bundle/repro/rca_report.md8.3 KB
bundle/repro/validation_verdict.json0.8 KB
bundle/repro/runtime_manifest.json1.3 KB
bundle/logs/demo_response.txt0.2 KB
bundle/logs/reproduction_steps.log2.0 KB
bundle/logs/vuln_1_response.txt0.3 KB
bundle/logs/fixed_1_response.txt0.0 KB
bundle/logs/vuln_1_server.log1.8 KB
bundle/logs/vuln_1_sudo_shim.log0.4 KB
bundle/logs/vuln_2_response.txt0.3 KB
bundle/logs/vuln_2_sudo_shim.log0.4 KB
bundle/logs/fixed_1_server.log1.5 KB
bundle/logs/fixed_2_response.txt0.0 KB
bundle/vuln_variant/reproduction_steps.sh11.7 KB
bundle/logs/vuln_variant/reproduction_steps.log2.2 KB
bundle/vuln_variant/validation_verdict.json3.1 KB
bundle/vuln_variant/variant_manifest.json3.7 KB
bundle/vuln_variant/patch_analysis.md6.8 KB
bundle/vuln_variant/rca_report.md9.0 KB
bundle/vuln_variant/runtime_manifest.json2.4 KB
bundle/logs/vuln_variant/fixed_c0_parent_install_baseline_http_code.txt0.0 KB
bundle/logs/vuln_variant/fixed_c0_parent_install_baseline_marker.txt0.0 KB
bundle/logs/vuln_variant/fixed_c0_parent_install_baseline_response.txt0.0 KB
bundle/logs/vuln_variant/fixed_c1_install_trailing_slash_http_code.txt0.0 KB
bundle/logs/vuln_variant/fixed_c1_install_trailing_slash_marker.txt0.0 KB
bundle/logs/vuln_variant/fixed_c1_install_trailing_slash_response.txt0.0 KB
bundle/logs/vuln_variant/fixed_c2_start_daemon_http_code.txt0.0 KB
bundle/logs/vuln_variant/fixed_c2_start_daemon_marker.txt0.0 KB
bundle/logs/vuln_variant/fixed_c2_start_daemon_response.txt0.0 KB
bundle/logs/vuln_variant/fixed_c3_cli_tools_mitm_http_code.txt0.0 KB
bundle/logs/vuln_variant/fixed_c3_cli_tools_mitm_marker.txt0.0 KB
bundle/logs/vuln_variant/fixed_c3_cli_tools_mitm_response.txt0.0 KB
bundle/logs/vuln_variant/fixed_server.log1.1 KB
bundle/logs/vuln_variant/fixed_version.txt0.1 KB
bundle/logs/vuln_variant/latest_version.txt0.0 KB
bundle/logs/vuln_variant/route_files.log3.6 KB
bundle/logs/vuln_variant/shell_sink_scan.log30.4 KB
bundle/logs/vuln_variant/vuln_c0_parent_install_baseline_http_code.txt0.0 KB
bundle/logs/vuln_variant/vuln_c0_parent_install_baseline_marker.txt0.1 KB
bundle/logs/vuln_variant/vuln_c0_parent_install_baseline_response.txt0.3 KB
bundle/logs/vuln_variant/vuln_c1_install_trailing_slash_http_code.txt0.0 KB
bundle/logs/vuln_variant/vuln_c1_install_trailing_slash_marker.txt0.0 KB
bundle/logs/vuln_variant/vuln_c1_install_trailing_slash_response.txt0.0 KB
bundle/logs/vuln_variant/vuln_c2_start_daemon_http_code.txt0.0 KB
bundle/logs/vuln_variant/vuln_c2_start_daemon_marker.txt0.0 KB
bundle/logs/vuln_variant/vuln_c2_start_daemon_response.txt0.0 KB
bundle/logs/vuln_variant/vuln_c3_cli_tools_mitm_http_code.txt0.0 KB
bundle/logs/vuln_variant/vuln_c3_cli_tools_mitm_marker.txt0.0 KB
bundle/logs/vuln_variant/vuln_c3_cli_tools_mitm_response.txt0.0 KB
bundle/logs/vuln_variant/vuln_server.log1.6 KB
bundle/logs/vuln_variant/vuln_sudo_shim.log1.7 KB