CWE-290: Authentication Bypass by Spoofing in decolua 9router (CVE-2026-49353)
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
AI Analysis
Technical Summary
The vulnerability in 9router arises from an incomplete fix for CVE-2026-46339. The local-only access gate implemented in src/dashboardGuard.js uses the Host and Origin HTTP headers to verify if a request is from a loopback address. However, these headers are attacker-controlled when 9router is behind a reverse proxy, tunnel, or DNS rebinding attack, allowing bypass of the local-only restriction. Access to restricted MCP routes requires a CLI token, which is a deterministic HMAC of the machine ID and thus predictable in some environments. An attacker who obtains or guesses this token can establish server-sent events (SSE) sessions and send arbitrary JSON-RPC commands to child processes such as node, python, or npx, enabling remote code execution on the host. The vulnerability affects versions <=0.4.55 and requires specific deployment conditions and token knowledge for exploitation.
Potential Impact
An attacker able to reach a proxied or tunneled 9router instance and obtain the deterministic CLI token can bypass the local-only access gate and interact with MCP child processes via stdin. This interaction can lead to arbitrary code execution on the host system. The impact is a remote code execution vulnerability with high severity, though exploitation requires specific deployment scenarios and token acquisition, reducing the overall risk compared to the original CVE-2026-46339.
Mitigation Recommendations
No official patch or fix is currently confirmed. Recommended mitigations include: (1) modifying the local-only access gate to verify the actual source IP address (e.g., using request.ip or request.socket.remoteAddress) rather than trusting Host and Origin headers; (2) replacing the deterministic CLI token with a non-deterministic, randomly generated token persisted on first run; and (3) binding MCP routes to the loopback interface at the network layer to enforce local-only access. Users should monitor vendor advisories for official fixes and apply them once available.
CWE-290: Authentication Bypass by Spoofing in decolua 9router (CVE-2026-49353)
Description
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in 9router arises from an incomplete fix for CVE-2026-46339. The local-only access gate implemented in src/dashboardGuard.js uses the Host and Origin HTTP headers to verify if a request is from a loopback address. However, these headers are attacker-controlled when 9router is behind a reverse proxy, tunnel, or DNS rebinding attack, allowing bypass of the local-only restriction. Access to restricted MCP routes requires a CLI token, which is a deterministic HMAC of the machine ID and thus predictable in some environments. An attacker who obtains or guesses this token can establish server-sent events (SSE) sessions and send arbitrary JSON-RPC commands to child processes such as node, python, or npx, enabling remote code execution on the host. The vulnerability affects versions <=0.4.55 and requires specific deployment conditions and token knowledge for exploitation.
Potential Impact
An attacker able to reach a proxied or tunneled 9router instance and obtain the deterministic CLI token can bypass the local-only access gate and interact with MCP child processes via stdin. This interaction can lead to arbitrary code execution on the host system. The impact is a remote code execution vulnerability with high severity, though exploitation requires specific deployment scenarios and token acquisition, reducing the overall risk compared to the original CVE-2026-46339.
Mitigation Recommendations
No official patch or fix is currently confirmed. Recommended mitigations include: (1) modifying the local-only access gate to verify the actual source IP address (e.g., using request.ip or request.socket.remoteAddress) rather than trusting Host and Origin headers; (2) replacing the deterministic CLI token with a non-deterministic, randomly generated token persisted on first run; and (3) binding MCP routes to the loopback interface at the network layer to enforce local-only access. Users should monitor vendor advisories for official fixes and apply them once available.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-6g2f-w7g3-77vf
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49353"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a46ecad27e9c7971943b882
Added to database: 07/02/2026, 22:56:45 UTC
Last enriched: 07/16/2026, 07:55:50 UTC
Last updated: 07/19/2026, 08:08:25 UTC
Views: 63
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.