Skip to content

CVE-2025-29266

Summary

Unraid 7.0.0 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in "Host" networking mode with "Use Tailscale" enabled. Any user connecting via the resulting Tailscale device can access the WebGUI as root by opening a browser and navigating to the WebGUI port.

Vulnerability Details

CVSS v4.0: 7.7 / High (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
CVSS v3.1: 8.8 / High (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE: CWE-291: Reliance on IP Address for Authentication

The Unraid WebGUI allows for connections from localhost to bypass authentication and connect with root privileges. The "Use Tailscale" feature was introducted in Unraid 7.0.0 which injects Tailscale into containers during container startup.

When this feature is enabled on containers using host network mode, Unraid interprets traffic to the WebGUI port as originating from localhost, bypassing authentication. Any user that can connect to the port via the Tailscale device therefore receives root access to the WebGUI and shell (via the built-in web terminal).

By default, Unraid assigns ports 80/443 for the WebGUI. It is therefore simple for an unauthorized user to unintentionally invoke this vulnerability by omitting the port from the intended address. For example:

  1. System owner provides a user with access to the Tailscale device, intending for that user to access a service hosted on port 8080.
  2. If the user enters http://tailscaleAddress:8080/, they connect to the intended service.
  3. If the user enters http://tailscaleAddress/ (forgetting to add the port), they connect to the WebGUI, without username/password authentication, and have root access.

Affected Products / Versions

Unraid = 7.0.0

Fixed Versions

Unraid >= 7.0.1

Workarounds / Mitigations

Either:

  • Disable "Use Tailscale" on containers using "Host" network mode.
  • Use Tailscale ACLs to prevent access to the WebGUI port via the Tailscale device created for the container.
  • Disable the authentication bypass for localhost in the nginx configuration by commenting or removing these lines in /etc/nginx/nginx.conf and restarting nginx (/etc/rc.d/rc.nginx restart): 
    allow 127.0.0.1;
allow ::1;

Warning

/etc/nginx/nginx.conf is replaced on each boot; modifications to the file must be repeated after any server restart.

References