CVE-2026-49353
HIGH Exploitation: PoC
7.5
CVSS 3.1
Description
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
Metadata
Severity & Metrics
7.5
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| decolua | 9router | — | <= 0.4.45 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-290 | cna | CWE-290: Authentication Bypass by Spoofing |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.5 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N |
References (4)
- https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf
- https://github.com/decolua/9router/commit/5e1c1261368e06dced1cbc650684561b2c8844db https://github.com/decolua/9router/commit/5e1c1261368e06dced1cbc650684561b2c8844db
- https://github.com/decolua/9router/commit/bb86808582067e4fc6f004508a919efb9970d1d5 https://github.com/decolua/9router/commit/bb86808582067e4fc6f004508a919efb9970d1d5
- https://github.com/decolua/9router/releases/tag/v0.4.46 https://github.com/decolua/9router/releases/tag/v0.4.46