GHSA-6g2f-w7g3-77vf: 9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
9router contains an incomplete fix for CVE-2026-46339 that allows bypassing a local-only access gate via spoofed Host and Origin headers when deployed behind reverse proxies or tunnels. The gate relies on these headers to determine local requests, which are attacker-controlled in proxied environments. An attacker who obtains or guesses a deterministic CLI token derived from the machine ID can bypass the gate and interact with MCP child processes, potentially achieving remote code execution. The vulnerability affects 9router versions up to 0.4.55. The severity is high due to the requirement of additional conditions like token access and proxied deployment.
AI Analysis
Technical Summary
The vulnerability in 9router (CVE-2026-49353) stems from an incomplete fix for a prior unauthenticated remote code execution issue (CVE-2026-46339). The local-only access gate implemented in src/dashboardGuard.js restricts sensitive routes by checking the Host and Origin HTTP headers for loopback hostnames rather than verifying the actual TCP source IP. This allows attackers to bypass the gate in deployments behind reverse proxies, Cloudflare Tunnel, Tailscale, or DNS rebinding attacks by spoofing these headers. Access to these routes also requires a CLI token, which is a deterministic HMAC of the machine ID, making it predictable in some environments. Once bypassed, attackers can establish Server-Sent Events sessions and send arbitrary JSON-RPC commands to MCP child processes (node, python, npx, etc.), enabling remote code execution on the host. The vulnerability affects versions up to 0.4.55 and requires proxied deployment and token access, reducing severity compared to the original CVE-2026-46339.
Potential Impact
An attacker able to reach a proxied or tunneled 9router instance and obtain or guess the deterministic CLI token can bypass the local-only access restriction. This enables interaction with MCP child processes via stdin, potentially leading to remote code execution on the host system. The impact includes unauthorized code execution with the privileges of the 9router process. The severity is high but reduced from the original CVE-2026-46339 due to the additional requirements of proxied deployment and token acquisition.
Mitigation Recommendations
No official patch or fix is currently confirmed. Recommended mitigations include: (1) modifying the local-only access gate to verify the actual source IP address (e.g., using request.ip or socket remote address) instead of trusting Host and Origin headers; (2) replacing the deterministic CLI token with a non-predictable, randomly generated token persisted across runs; (3) binding MCP routes to the loopback interface at the network layer to prevent remote access regardless of header spoofing. Users should monitor vendor advisories for official fixes and apply them when available.
GHSA-6g2f-w7g3-77vf: 9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
Description
9router contains an incomplete fix for CVE-2026-46339 that allows bypassing a local-only access gate via spoofed Host and Origin headers when deployed behind reverse proxies or tunnels. The gate relies on these headers to determine local requests, which are attacker-controlled in proxied environments. An attacker who obtains or guesses a deterministic CLI token derived from the machine ID can bypass the gate and interact with MCP child processes, potentially achieving remote code execution. The vulnerability affects 9router versions up to 0.4.55. The severity is high due to the requirement of additional conditions like token access and proxied deployment.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in 9router (CVE-2026-49353) stems from an incomplete fix for a prior unauthenticated remote code execution issue (CVE-2026-46339). The local-only access gate implemented in src/dashboardGuard.js restricts sensitive routes by checking the Host and Origin HTTP headers for loopback hostnames rather than verifying the actual TCP source IP. This allows attackers to bypass the gate in deployments behind reverse proxies, Cloudflare Tunnel, Tailscale, or DNS rebinding attacks by spoofing these headers. Access to these routes also requires a CLI token, which is a deterministic HMAC of the machine ID, making it predictable in some environments. Once bypassed, attackers can establish Server-Sent Events sessions and send arbitrary JSON-RPC commands to MCP child processes (node, python, npx, etc.), enabling remote code execution on the host. The vulnerability affects versions up to 0.4.55 and requires proxied deployment and token access, reducing severity compared to the original CVE-2026-46339.
Potential Impact
An attacker able to reach a proxied or tunneled 9router instance and obtain or guess the deterministic CLI token can bypass the local-only access restriction. This enables interaction with MCP child processes via stdin, potentially leading to remote code execution on the host system. The impact includes unauthorized code execution with the privileges of the 9router process. The severity is high but reduced from the original CVE-2026-46339 due to the additional requirements of proxied deployment and token acquisition.
Mitigation Recommendations
No official patch or fix is currently confirmed. Recommended mitigations include: (1) modifying the local-only access gate to verify the actual source IP address (e.g., using request.ip or socket remote address) instead of trusting Host and Origin headers; (2) replacing the deterministic CLI token with a non-predictable, randomly generated token persisted across runs; (3) binding MCP routes to the loopback interface at the network layer to prevent remote access regardless of header spoofing. Users should monitor vendor advisories for official fixes and apply them when available.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-6g2f-w7g3-77vf
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49353"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a46ecad27e9c7971943b882
Added to database: 07/02/2026, 22:56:45 UTC
Last enriched: 07/02/2026, 23:04:28 UTC
Last updated: 07/02/2026, 23:04:28 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.