CVE-2026-49353
9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
| CWE | CWE-290 |
| Vendor | decolua |
| Product | 9router |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for decolua 9router
Be the first to know when new high vulnerabilities affecting decolua 9router are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
Affected Versions
decolua / 9router
<= 0.4.45
References
github.com: https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf github.com: https://github.com/decolua/9router/commit/5e1c1261368e06dced1cbc650684561b2c8844db github.com: https://github.com/decolua/9router/commit/bb86808582067e4fc6f004508a919efb9970d1d5 github.com: https://github.com/decolua/9router/releases/tag/v0.4.46