CVE-2026-9495: Access Control Bypass in @koa/router
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.
AI Analysis
Technical Summary
The vulnerability in @koa/router versions 14.0.0 and before 15.0.0 arises from middleware being silently omitted from the execution chain when the router prefix includes path parameters. This behavior can lead to an access control bypass, allowing attackers to circumvent security controls implemented via middleware, such as authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 base score is 6.9, indicating a medium severity. No official fix or patch has been published yet, and the package is not a cloud service, so remediation depends on updating the package once a fix is released.
Potential Impact
An attacker could exploit this vulnerability to bypass critical middleware protections, potentially allowing unauthorized access, evading rate limits, or bypassing input validation. The exact impact depends on what security controls the skipped middleware was enforcing. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should carefully review their use of router prefixes with path parameters and the middleware chain to identify potential bypasses. Consider implementing additional safeguards outside of the affected middleware or avoid using vulnerable versions of @koa/router if possible.
CVE-2026-9495: Access Control Bypass in @koa/router
Description
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in @koa/router versions 14.0.0 and before 15.0.0 arises from middleware being silently omitted from the execution chain when the router prefix includes path parameters. This behavior can lead to an access control bypass, allowing attackers to circumvent security controls implemented via middleware, such as authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 base score is 6.9, indicating a medium severity. No official fix or patch has been published yet, and the package is not a cloud service, so remediation depends on updating the package once a fix is released.
Potential Impact
An attacker could exploit this vulnerability to bypass critical middleware protections, potentially allowing unauthorized access, evading rate limits, or bypassing input validation. The exact impact depends on what security controls the skipped middleware was enforcing. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should carefully review their use of router prefixes with path parameters and the middleware chain to identify potential bypasses. Consider implementing additional safeguards outside of the affected middleware or avoid using vulnerable versions of @koa/router if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- snyk
- Date Reserved
- 2026-05-25T09:18:41.020Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a153cbca5ae1af1aa706ad7
Added to database: 5/26/2026, 6:25:00 AM
Last enriched: 5/26/2026, 6:40:22 AM
Last updated: 5/26/2026, 12:43:31 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.