Tailscale disclosed TS-2026-009 today — a flag injection flaw in Tailscale SSH that lets any authorized SSH user obtain a root shell by logging in as -i. The vulnerability bypasses autogroup:nonroot ACL restrictions entirely, silently granting root access on affected Linux nodes. If you run Tailscale SSH, upgrade to version 1.98.9 immediately.
The flaw is deceptively simple. Any user who already has Tailscale SSH access to a host can exploit it in seconds — no special tooling required, no privilege escalation chain to build. The ACL said non-root only. Tailscale SSH didn’t enforce it.
How the Tailscale SSH Flag Injection Works
When a user connects via Tailscale SSH, the service resolves the supplied username against the Linux password database. On affected versions, this meant calling getent(1) — a shell subprocess — and passing the username as a command-line argument. That’s where the bug lives.
On POSIX systems, arguments starting with - are interpreted as flags. The username -i becomes getent --no-idn, which prints the full /etc/passwd file starting with the root entry. Tailscale SSH then opens an interactive session for the first returned user: root. One username. Full root access. ACL ignored.
# Exploit for Tailscale SSH versions prior to 1.98.9 (Linux only)
# Requires existing Tailscale SSH access to the node
ssh -l '-i' 100.x.x.x
# getent interprets '-i' as '--no-idn'
# /etc/passwd is printed starting from the root entry
# Result: interactive root shell, ACL restrictions ignored
A second related vector, TS-2026-006, also existed: using 0 as the username — the numeric UID for root — bypassed UID-based ACL restrictions. Both are patched in Tailscale v1.98.9.
The Real Mistake: Subprocess Over Syscall
The underlying cause isn’t obscure. Tailscale SSH called getent(1) — an external binary — instead of using the POSIX C API getpwnam(3) directly. The difference matters: a subprocess invocation parses arguments and flags; a library call does not. Developers pointed this out immediately on Hacker News: “A proper fix is not to shell out to a command at all; use getpwnam(3) or similar.”
This is a textbook argument injection vulnerability. Whenever user-controlled input gets passed to a command-line tool, every argument parser in the chain becomes a potential injection point. The secure pattern is to use library APIs that take strings as data, not commands that interpret strings as arguments. Tailscale’s current fix rejects usernames with leading dashes — but the complete fix is dropping the subprocess call entirely.
Who’s Affected and What 1.98.9 Fixes
Only Linux nodes are affected — getent is Linux-specific. macOS and Windows Tailscale SSH are not vulnerable. The blast radius requires existing Tailscale SSH access, so external attackers cannot exploit this directly. However, the real threat model here is insider escalation and compromised identity provider accounts, not anonymous attackers from the internet.
Version 1.98.9, released July 14, 2026, patches six security bulletins simultaneously — the largest Tailscale security batch in recent memory. That volume signals a formal security audit, not a one-off fix. The other patches address Unix socket forwarding permissions, Tailscale Serve and Funnel CPU exhaustion, and an inbound packet filtering gap in Tailscale Services. Upgrade the entire stack, not just the SSH component. See the full details in the Tailscale v1.98.9 changelog.
To verify your current version, run tailscale version. To check whether Tailscale SSH is enabled on a node, inspect your tailnet ACL policy for SSH rules at Tailscale SSH documentation.
Key Takeaways
- Upgrade all Linux Tailscale nodes to 1.98.9 or newer immediately — any prior version with Tailscale SSH enabled is vulnerable to root access via the
-iusername exploit. - The
autogroup:nonrootACL restriction was silently bypassed on affected versions; teams relying on it as a hard security boundary were exposed with no visible indication. - The current fix rejects leading-dash usernames, but the complete fix is replacing the
getent(1)subprocess with a directgetpwnam(3)library call — expect a more thorough patch in a future version. - Defense in depth remains the right model: use Tailscale for network-layer VPN isolation and OpenSSH for authentication on high-assurance nodes where decades of hardening matter.
- Six bulletins patched simultaneously in v1.98.9 suggests a formal security audit was conducted — stay subscribed to Tailscale’s security bulletins for follow-up fixes.













