logoalt Hacker News

TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access

131 pointsby jervanttoday at 1:08 AM59 commentsview on HN

Comments

tptacektoday at 1:27 AM

This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to.

(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)

show 2 replies
doublepg23today at 1:59 AM

I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature. I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.

show 4 replies
s_ting765today at 7:33 AM

I don't see the point of publishing a security bulletin if you are not going to timely push the fix to artifacts on all affected platforms. Tailscale needs to do better on their release process, docker hub shows last update was 8 days ago.

show 1 reply
evikstoday at 6:44 AM

> Tailscale SSH now rejects usernames with leading dashes.

Is the proper fix not restricting users not possible in these poorly designed ancient systems?

Similarly re another issue: why not just fix the permission issues instead of restricting users?

> Tailscale now disallows the use of UIDs or numeric-only usernames via SSH to avoid this ambiguity

drnick1today at 3:15 AM

I'll stick to my 100% self-hosted Wireguard setup, thank you very much.

show 3 replies
luciana1utoday at 3:23 AM

tailscale ssh: replacing a 25-year-old battle-tested codebase with a startup's Go rewrite and then acting surprised when it has bugs

show 1 reply
e40today at 1:37 AM

So, giving access via tailscale but using OpenSSH is safe, right?

show 2 replies
modelesstoday at 2:08 AM

Tailscale SSH has caused me other problems in the past because it takes over port 22. I'm not a fan.

show 2 replies
mintflowtoday at 3:50 AM

>>> We would like to thank Anthropic and Ada Logics for reporting this issue.

it seems anthropic also use tailscale or it's just being discovered by the mythos model?

show 1 reply
mintflowtoday at 3:52 AM

pure logic error, the undergoing tailscale rust rewrite can't help this too:)

show 2 replies
kbumsiktoday at 1:44 AM

Why own numbering instead of CVE?

show 2 replies
cyberaxtoday at 1:52 AM

> "Tailscale SSH now rejects usernames with leading dashes."

Really? That's the fix?

A proper fix is to use "--" to separate arguments.

show 2 replies
farfatchedtoday at 4:48 AM

Sadly, yet another path to root via Tailscale.

If their scope grows, and they run so much as root, it won't be their last.

ishwetatoday at 6:18 AM

[dead]