TS-2026-001

Vulnerability from tailscale - Published: Thu, 15 Jan 2026 00:00:00 GMT

Description: Arbitrary command execution with elevated privileges in tssentineld

What happened?

tssentineld is a launchd service that is installed in managed environments when the AlwaysOn.Enabled MDM policy is present on macOS. Its sole responsibility is to ensure that Tailscale.app is relaunched if terminated. As a launchd service, it runs as root.

The implementation used an NSTask and /bin/sh -c sudo -u [username], using basic string template substitution for the username. An attacker with either direct access to the memory backing the username string or by setting the current username to a malicious value could use this to inject commands running with the same privileges as tssentineld.

This vulnerability is fixed in Tailscale version 1.94.0 and newer.

What was the impact?

Malicious local users that can manipulate their username or manipulate memory of tssentineld can execute arbitrary commands as root.

Who was affected?

The macOS standalone variant from 1.84.0 to 1.92.3, when configured via MDM to enable the AlwaysOn.Enabled policy is affected.

tssentineld is only activated on clients managed by MDM and employing the AlwaysOn.Enabled policy and requires admin permission to install and activate. Memory manipulation to inject a malicious command requires a separate vulnerability or existing root access. The user may, however, modify their username in such a way that tssentineld could execute arbitrary shell commands with elevated privileges.

The macOS package available from the App Store does not support the installation of launchd daemons and is not affected.

What do I need to do?

If you are using the AlwaysOn.Enabled policy with standalone macOS clients, update to version 1.94.0 or newer.

Show details on source website
To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2026-001",
  "link": "https://tailscale.com/security-bulletins/#ts-2026-001",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2026-001",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Thu, 15 Jan 2026 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Arbitrary command execution with elevated privileges in tssentineld\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003e\u003ccode\u003etssentineld\u003c/code\u003e is a launchd service that is installed in \u003ca href=\"https://tailscale.com/kb/1362/mdm\"\u003emanaged environments\u003c/a\u003e\nwhen the \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e MDM policy is present on macOS. Its sole\nresponsibility is to ensure that Tailscale.app is relaunched if terminated.\nAs a launchd service, it runs as \u003ccode\u003eroot\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eThe implementation used an NSTask and \u003ccode\u003e/bin/sh -c sudo -u [username]\u003c/code\u003e, using basic string\ntemplate substitution for the username. An attacker with either direct access\nto the memory backing the username string or by setting the current username\nto a malicious value could use this to inject commands running with the same\nprivileges as \u003ccode\u003etssentineld\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eThis vulnerability is fixed in Tailscale version 1.94.0 and newer.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eMalicious local users that can manipulate their username or manipulate memory of tssentineld\ncan execute arbitrary commands as root.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1065/macos-variants\"\u003emacOS standalone variant\u003c/a\u003e from 1.84.0 to 1.92.3, when configured\nvia MDM to enable the \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e policy is affected.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003etssentineld\u003c/code\u003e is only activated on clients managed by MDM and employing the\n\u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e policy and requires admin permission to install and\nactivate. Memory manipulation to inject a malicious command requires a separate\nvulnerability or existing root access. The user may, however, modify their username\nin such a way that \u003ccode\u003etssentineld\u003c/code\u003e could execute arbitrary shell commands with elevated\nprivileges.\u003c/p\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1065/macos-variants\"\u003emacOS package available from the App Store\u003c/a\u003e does not support the\ninstallation of launchd daemons and is not affected.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you are using the \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e policy with standalone macOS clients, update to version 1.94.0 or newer.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Arbitrary command execution with elevated privileges in tssentineld\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003e\u003ccode\u003etssentineld\u003c/code\u003e is a launchd service that is installed in \u003ca href=\"https://tailscale.com/kb/1362/mdm\"\u003emanaged environments\u003c/a\u003e\nwhen the \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e MDM policy is present on macOS. Its sole\nresponsibility is to ensure that Tailscale.app is relaunched if terminated.\nAs a launchd service, it runs as \u003ccode\u003eroot\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eThe implementation used an NSTask and \u003ccode\u003e/bin/sh -c sudo -u [username]\u003c/code\u003e, using basic string\ntemplate substitution for the username. An attacker with either direct access\nto the memory backing the username string or by setting the current username\nto a malicious value could use this to inject commands running with the same\nprivileges as \u003ccode\u003etssentineld\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eThis vulnerability is fixed in Tailscale version 1.94.0 and newer.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eMalicious local users that can manipulate their username or manipulate memory of tssentineld\ncan execute arbitrary commands as root.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1065/macos-variants\"\u003emacOS standalone variant\u003c/a\u003e from 1.84.0 to 1.92.3, when configured\nvia MDM to enable the \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e policy is affected.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003etssentineld\u003c/code\u003e is only activated on clients managed by MDM and employing the\n\u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e policy and requires admin permission to install and\nactivate. Memory manipulation to inject a malicious command requires a separate\nvulnerability or existing root access. The user may, however, modify their username\nin such a way that \u003ccode\u003etssentineld\u003c/code\u003e could execute arbitrary shell commands with elevated\nprivileges.\u003c/p\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1065/macos-variants\"\u003emacOS package available from the App Store\u003c/a\u003e does not support the\ninstallation of launchd daemons and is not affected.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you are using the \u003ca href=\"https://tailscale.com/kb/1315/mdm-keys#set-tailscale-to-always-be-connected\"\u003eAlwaysOn.Enabled\u003c/a\u003e policy with standalone macOS clients, update to version 1.94.0 or newer.\u003c/p\u003e"
  },
  "title": "TS-2026-001",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2026-001"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.