CVE-2026-49352
9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, and later src/lib/auth/dashboardSession.js, allowing attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue is fixed in version 0.4.44
| CWE | CWE-798 |
| Vendor | decolua |
| Product | 9router |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for decolua 9router
Be the first to know when new critical vulnerabilities affecting decolua 9router are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
decolua / 9router
>= 0.2.21, < 0.4.44