CVE-2026-49352
CRITICAL
9.8
CVSS 3.1
Description
9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, and later src/lib/auth/dashboardSession.js, allowing attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue is fixed in version 0.4.44
Metadata
Severity & Metrics
9.8
CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| decolua | 9router | — | >= 0.2.21, < 0.4.44 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-798 | cna | CWE-798: Use of Hard-coded Credentials |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 9.8 | CRITICAL | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (3)
- https://github.com/decolua/9router/security/advisories/GHSA-jphh-m39h-6gwx https://github.com/decolua/9router/security/advisories/GHSA-jphh-m39h-6gwx
- https://github.com/decolua/9router/commit/fe3ce25ae3cda48c0702c2d452e17f6ec214009d https://github.com/decolua/9router/commit/fe3ce25ae3cda48c0702c2d452e17f6ec214009d
- https://github.com/decolua/9router/releases/tag/v0.4.44 https://github.com/decolua/9router/releases/tag/v0.4.44