• 7 min read
Tailscale SSH bugs opened paths to root access
Tailscale ships fixes for multiple SSH, Serve, and Services vulnerabilities, including several that allowed unintended root access.

Image: Hacker News
Multiple Tailscale security bugs fixed in 1.98.9
Tailscale has published a batch of security bulletins covering several issues across Tailscale SSH, Serve, Funnel, Services, and macOS clients. Most of the newly fixed bugs require upgrading to version 1.98.9 or newer, with one macOS issue fixed in 1.94.0 and a web UI bug fixed in 1.98.0.
Several of the vulnerabilities allowed bypassing ACLs or accessing privileged Unix sockets, with two separate paths to unintended root SSH access.
---
TS-2026-009: Tailscale SSH username parsing allowed root
Description: Insecure command line argument handling in Tailscale SSH permitted root user access in violation of ACLs.

Recommended reading
Mira Murati’s lab unveils Inkling, a 975B open model
Tailscale reports that Tailscale SSH previously accepted usernames starting with a leading — on Linux. These were passed directly to getent(1) to resolve user information and were interpreted as flags instead of usernames.
Specifically, a user connecting with the username -i would trigger --no-idn, causing getent to print the entire passwd file starting with the root user. Tailscale then opened an interactive root session.
Tailscale SSH now rejects usernames with leading dashes. This is fixed in Tailscale 1.98.9 or newer.
Impact:
A user with SSH access to a Linux node could obtain a root session by connecting with the username -i, violating ACL policy.
Who was affected:
Users of Tailscale SSH on Linux hosts that rely on autogroup:nonroot restrictions in Tailscale ACLs.
Action:
If you use Tailscale SSH, upgrade to 1.98.9 or newer.
Tailscale credits Anthropic and Ada Logics for reporting this issue.
---
Other 1.98.9 fixes: SSH, Services, Serve, and Funnel
Several additional vulnerabilities are fixed in the same 1.98.9 release.
TS-2026-008: Serve/Funnel CPU pin via malformed HTTP
A single malformed HTTP request to a node running Tailscale Serve or Funnel could pin a CPU core indefinitely.
Tailscale walked request paths upward assuming they started with /. For paths that did not begin with /, the walk never reached /, causing an infinite loop with no request timeout and one goroutine holding a core at 100% for the life of the process.
Tailscale now terminates path walking for non-absolute paths, returns no handler, and closes the request. Fixed in 1.98.9 or newer.
Impact: Any peer (for Serve) or unauthenticated internet host (for Funnel) could send a crafted HTTP request to permanently consume a CPU core.
Affected: Nodes running Tailscale Serve or Funnel prior to 1.98.9.
Tailscale credits Anthropic and Ada Logics.
TS-2026-007: Services could reach loopback-only listeners
For Tailscale Services, nodes advertising services could accept inbound traffic on service IPs for ports they did not advertise. Packets to these ports were forwarded to any process on the host loopback interface listening on that port.
Tailscale now filters and rejects such packets with the appropriate TCP RST when no handler exists. Fixed in 1.98.9 or newer.
Impact: A user with ACL access to a Tailscale Service could reach processes bound only to loopback on the hosting node by addressing the service on non-advertised ports.
Affected: Users of Tailscale Services that rely on loopback-only access restrictions.
TS-2026-006: UID-based SSH login bypassed root ACLs
Tailscale SSH previously allowed users to be addressed by username or numeric UID, but root restrictions only applied to usernames.
A user with non-root SSH access could SSH as 0@host and gain root in violation of ACLs. Tailscale has now disallowed UIDs or numeric-only usernames over SSH. Fixed in 1.98.9 or newer.
Affected: Tailscale SSH on Linux/Unix hosts relying on autogroup:nonroot ACLs.
Tailscale credits Tim Hoffman (GM).
TS-2026-005: Non-root Serve operator could proxy privileged sockets
Tailscale Serve can proxy to Unix domain sockets such as unix:/var/run/docker.sock. Non-root local users configured as the Tailscale operator can write Serve config through the LocalAPI.
Tailscale restricted filesystem path targets to root, but this check did not include Unix socket proxy targets. A non-root operator could have the tailscaled process running as root proxy to privileged Unix sockets, bypassing filesystem permissions.
Unix socket proxy targets are now restricted to root. Fixed in 1.98.9 or newer.
Affected: Linux/Unix hosts running Serve where a non-root operator is configured and privileged Unix sockets (Docker, containerd, CRI) exist.
Tailscale credits Tim Sageser (dtrsecurity).
TS-2026-004: SSH Unix socket forwarding and symlink abuse
Tailscale SSH supports forwarding Unix sockets, but its permission checks only did lexical path matching. An attacker could create a symlink they owned (e.g. /home/$USER/my.sock) pointing to a privileged socket like /var/run/docker.sock.
Because Tailscale runs as root, it would bind the privileged destination over SSH. Tailscale SSH now checks for symlinks and validates resolved destinations against allowlists, denying any outside them. Fixed in 1.98.9 or newer.
Affected: Tailscale SSH on shared Linux/Unix hosts relying on filesystem permissions for Unix sockets.
Tailscale again credits Tim Sageser (dtrsecurity).
---
OAuth token exposure in audit logs (TS-2026-003)
The Tailscale coordination server emits audit logs for configuration changes, including access credential creation. A bug caused it to record complete OAuth client access tokens in these logs.
This made tokens visible to other actors with audit log access.
Impact: A tailnet admin with log access could retrieve OAuth tokens and use them to call the Tailscale API within the token’s one hour validity.
Affected: All tailnets using OAuth Clients to create access tokens from March 1st, 2026 to May 29th, 2026.
Tailscale has switched to redacted logging for new tokens. Tokens are limited to a maximum lifetime of one hour, so historical tokens have already expired. No customer action is required.
Tailscale credits Conor Power (Snapchat).
---
Web UI ACL bypass, macOS tssentineld RCE, and Tailnet Lock bug
TS-2026-002: Web interface routes ACL bypass
The local Tailscale web interface can be opened to other tailnet peers and is read-only by default. Admins can grant permissions for changing settings via ACLs.
A bug in the /api/routes handler reset both the active exit node and advertised subnet routes when given an empty request body, even without the exitNodes or subnets grants.
Impact: A malicious tailnet node could disable the exit node and clear advertised subnets on nodes running the web interface, if it could pass login checks and had ACL access to port 5252.
Affected: Linux, macOS, and Windows nodes running Tailscale between 1.56.0 and 1.98.0 with the web interface explicitly enabled.
Fixed in 1.98.0 and newer. Tailscale credits N0zoM1z0.
TS-2026-001: macOS tssentineld arbitrary command execution
tssentineld is a launchd service on macOS installed when the AlwaysOn.Enabled MDM policy is present. It runs as root and relaunches Tailscale.app if terminated.
The implementation used NSTask and /bin/sh -c sudo -u [username] with basic string substitution. An attacker who could control the username or the memory backing it could inject commands that run with root privileges.
Impact: Malicious local users able to manipulate their username or tssentineld memory could execute arbitrary commands as root.
Affected: The macOS standalone variant from 1.84.0 to 1.92.3, when configured via MDM with AlwaysOn.Enabled. The App Store macOS package is not affected.
Fixed in Tailscale 1.94.0 or newer.
For this issue, Tailscale notes that tssentineld is only activated on MDM-managed clients with AlwaysOn enabled and requires admin permission to install and activate. Memory manipulation would require a separate vulnerability or existing root access, though username modification alone could be enough to cause elevated command execution.
---
The bulletin also references TS-2025-008, a Tailnet Lock enforcement failure on nodes lacking a state directory, but the provided text ends before the fix details. All the 2026-series issues above have concrete fixes shipped and upgrade paths documented, with several credited to external researchers and companies.
AI Editor
Ava covers the rapidly evolving world of artificial intelligence, from foundational models and research labs to the real-world economics of intelligence. With a background in computational linguistics, she cuts through the hype to find out what actually works. She firmly believes that benchmarks are just marketing until reproduced in the wild.
via Hacker News


