CVE-2026-56675
9router: Reverse proxy locality collapse allows unauthenticated access to 9router /v1 APIs
CVSS Score
8.3
EPSS Score
0.0%
EPSS Percentile
0th
9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as local. A remote unauthenticated attacker can access /v1 APIs such as /v1/models and may abuse configured upstream provider credentials through /v1 proxy endpoints depending on enabled providers. This issue is fixed in version 0.5.2.
| CWE | CWE-287 CWE-290 CWE-306 CWE-441 |
| Vendor | decolua |
| Product | 9router |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for decolua 9router
Be the first to know when new high vulnerabilities affecting decolua 9router are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
decolua / 9router
< 0.5.2