Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.4%top 72%

CWE-290: Authentication Bypass by Spoofing in decolua 9router (CVE-2026-49353)

0
High
Published: 07/15/2026 (07/15/2026, 20:49:15 UTC)
Source: GCVE Database
Vendor/Project: decolua
Product: 9router

Description

9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.

CVSS v3.1

Score 7.5high

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

Affected software

npmghsa
9router
Affected versions
<=0.4.55

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 07:55:50 UTC

Technical Analysis

The vulnerability in 9router arises from an incomplete fix for CVE-2026-46339. The local-only access gate implemented in src/dashboardGuard.js uses the Host and Origin HTTP headers to verify if a request is from a loopback address. However, these headers are attacker-controlled when 9router is behind a reverse proxy, tunnel, or DNS rebinding attack, allowing bypass of the local-only restriction. Access to restricted MCP routes requires a CLI token, which is a deterministic HMAC of the machine ID and thus predictable in some environments. An attacker who obtains or guesses this token can establish server-sent events (SSE) sessions and send arbitrary JSON-RPC commands to child processes such as node, python, or npx, enabling remote code execution on the host. The vulnerability affects versions <=0.4.55 and requires specific deployment conditions and token knowledge for exploitation.

Potential Impact

An attacker able to reach a proxied or tunneled 9router instance and obtain the deterministic CLI token can bypass the local-only access gate and interact with MCP child processes via stdin. This interaction can lead to arbitrary code execution on the host system. The impact is a remote code execution vulnerability with high severity, though exploitation requires specific deployment scenarios and token acquisition, reducing the overall risk compared to the original CVE-2026-46339.

Mitigation Recommendations

No official patch or fix is currently confirmed. Recommended mitigations include: (1) modifying the local-only access gate to verify the actual source IP address (e.g., using request.ip or request.socket.remoteAddress) rather than trusting Host and Origin headers; (2) replacing the deterministic CLI token with a non-deterministic, randomly generated token persisted on first run; and (3) binding MCP routes to the loopback interface at the network layer to enforce local-only access. Users should monitor vendor advisories for official fixes and apply them once available.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-6g2f-w7g3-77vf
Osv Schema Version
1.4.0
Aliases
["CVE-2026-49353"]
Ecosystems
["npm"]
Database Specific Severity
HIGH
Cvss Version
3.1

Threat ID: 6a46ecad27e9c7971943b882

Added to database: 07/02/2026, 22:56:45 UTC

Last enriched: 07/16/2026, 07:55:50 UTC

Last updated: 07/19/2026, 08:08:25 UTC

Views: 63

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses