CVE-2026-56679
9Router: Mass assignment in PATCH /api/settings allows authenticated authorization downgrade
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole application, exposing protected routes such as /api/keys and /api/providers to unauthenticated access. This issue is reported as fixed in version 0.5.4.
| CWE | CWE-915 |
| Vendor | decolua |
| Product | 9router |
| Published | Jul 15, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for decolua 9router
Be the first to know when new unknown vulnerabilities affecting decolua 9router are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
decolua / 9router
< 0.5.4