EUVD-2026-33685
GHSA-rj93-2986-gmf9
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
AnalysisAI
Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JWT authentication by manipulating the HTTP Host header, gaining unauthorized access to protected dashboard and API endpoints. The vulnerable isLocalRequest() function in dashboardGuard.js blindly trusted the client-supplied Host header to determine whether a request originated from localhost, enabling any network-reachable attacker to spoof local origin by sending Host: localhost. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network-level reachability to the 9router HTTP service port on a host running version 0.4.0 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.3 Medium score reflects network reachability (AV:N), low complexity (AC:L), low required privileges (PR:L), no user interaction (UI:N), and limited per-component impact (C:L/I:L/A:L with unchanged scope). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a 9router instance sends an HTTP request to a protected endpoint such as one listed in PROTECTED_API_PATHS, including the header Host: localhost in the request. The vulnerable isLocalRequest() function evaluates this header, returns true, and the isAuthenticated() function skips JWT validation, granting the attacker access to sensitive dashboard or administrative API functionality without valid credentials. … |
| Remediation | Upgrade decolua 9router to version 0.4.1 immediately; this is the vendor-confirmed fix available at https://github.com/decolua/9router/releases/tag/v0.4.1 with patch details at https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today