Built a fresh image of 1.4 this morning and used the POC here to confirm VyOS is vulnerable.
sh-5.1$ cat /etc/os-release
PRETTY_NAME="VyOS 1.4-rolling-202201272046 (sagitta)"
NAME="VyOS"
VERSION_ID="1.4-rolling-202201272046"
VERSION="1.4-rolling-202201272046 (sagitta)"
VERSION_CODENAME=bullseye
ID=vyos
HOME_URL="https://vyos.io"
SUPPORT_URL="https://support.vyos.io"
BUG_REPORT_URL="https://phabricator.vyos.net"
sh-5.1$ id
uid=1003(test) gid=1003(test) groups=1003(test)
sh-5.1$ ./cve-2021-4034-poc
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root),1003(test)
sh-5.1#