CVE-2026-46339
CRITICAL
10.0
CVSS 3.1
Description
9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlugins through src/app/api/cli-tools/cowork-settings/route.js and command execution through the MCP bridge. This vulnerability is fixed in 0.4.37.
Metadata
Severity & Metrics
10.0
CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| decolua | 9router | — | >= 0.4.30, < 0.4.37 |
Weakness (CWE)
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 10.0 | CRITICAL | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (2)
- https://github.com/decolua/9router/security/advisories/GHSA-fhh6-4qxv-rpqj https://github.com/decolua/9router/security/advisories/GHSA-fhh6-4qxv-rpqj
- https://github.com/decolua/9router/commit/992f4db4a0d858bcc86b4786f2abab117a6ccdf8 https://github.com/decolua/9router/commit/992f4db4a0d858bcc86b4786f2abab117a6ccdf8