CVE-2026-49352 PUBLISHED

9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass

Assigner: GitHub_M
Reserved: 29.05.2026 Published: 15.07.2026 Updated: 15.07.2026

9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, and later src/lib/auth/dashboardSession.js, allowing attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue is fixed in version 0.4.44

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor decolua
Product 9router
Versions
  • Version >= 0.2.21, < 0.4.44 is affected

References

Problem Types

  • CWE-798: Use of Hard-coded Credentials CWE