TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access

One tiny login trick, one weird web request, and commenters are already screaming “just use OpenSSH”

TLDR: Tailscale fixed a serious set of bugs, including one where a sneaky username could wrongly grant full admin access on Linux machines. Commenters were split between dark humor about this ancient mistake and a familiar blunt verdict: stick with OpenSSH if you want the boring, trusted option.

Tailscale dropped a triple security fix, but the comment section instantly crowned one bug the main character: a user could allegedly type a username starting with a dash — specifically “-i” — and end up with a root account, the all-powerful admin identity that should absolutely not be handed out by accident. For non-experts: that’s the digital version of asking for the janitor’s key and somehow getting the master keys to the building. Tailscale says the issues are fixed in version 1.98.9, including this login flaw, a bug where one bad web request could max out a computer core forever, and another that exposed “local only” services from afar.

But the real fireworks were in the reactions. Security veteran tptacek basically posted the cryptic equivalent of “they really don’t make bugs like this anymore”, mocking how old-school this mistake felt. Another commenter immediately asked the question many lurkers were probably thinking: if you use OpenSSH instead of Tailscale’s built-in remote login tool, are you safe? Then came the purity-test debate. One camp said Tailscale’s patch — just rejecting usernames starting with “-” — felt too flimsy, arguing they should have used the classic separator trick instead. Another camp went full reputation mode: why gamble on a newer convenience feature when OpenSSH’s security record is legendary?

So yes, the official story is “upgrade now.” The unofficial story is a full-on community pile-on over trust, old bug classes, and whether convenience features always end in somebody accidentally becoming root. Peak tech drama.

Key Points

  • Tailscale said three vulnerabilities affecting Serve/Funnel, SSH, and Services were fixed in version 1.98.9 or newer.
  • A malformed non-absolute HTTP path in Tailscale Serve or Funnel could cause an infinite handler-resolution loop and permanently consume one CPU core.
  • In Tailscale SSH on Linux, usernames beginning with `-` could be interpreted as flags by `getent(1)`, allowing a user with SSH access to obtain an interactive root session using the username `-i`.
  • Tailscale Services previously allowed traffic to non-advertised service ports to be forwarded to loopback listeners on the hosting node under certain conditions.
  • Tailscale advised users of the affected features to upgrade to version 1.98.9 or newer and credited Anthropic and Ada Logics for reporting the issues.

Hottest takes

"still makin' 'em like they used to" — tptacek
"Really? That's the fix?" — cyberax
"not sure why I'd swap over" — doublepg23
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.