CVE-2026-49353 PUBLISHED

9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

Assigner: GitHub_M
Reserved: 29.05.2026 Published: 15.07.2026 Updated: 16.07.2026

9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
CVSS Score: 7.5

Product Status

Vendor decolua
Product 9router
Versions
  • Version <= 0.4.45 is affected

References

Problem Types

  • CWE-290: Authentication Bypass by Spoofing CWE