Skip to main content

Routinator CVE-2026-49234

| EUVDEUVD-2026-35064 HIGH
Improper Input Validation (CWE-20)
2026-06-08 NLnet Labs GHSA-gc6q-cwcj-3vh9
8.2
CVSS 4.0 · Vendor: NLnet Labs
Share

Severity by source

Vendor (NLnet Labs) PRIMARY
8.2 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NLnet Labs) · only source for this CVE.

CVSS VectorVendor: NLnet Labs

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 16:50 vuln.today
CVSS changed
Jun 08, 2026 - 15:37 NVD
8.2 (HIGH)
CVE Published
Jun 08, 2026 - 12:58 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.

This only affects users who allow API access from untrusted networks.

AnalysisAI

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon by sending a specifically crafted non-UTF-8 string in the select-asn query parameter to the /api/v1/origins HTTP endpoint. The flaw only impacts deployments that expose the API to untrusted networks, and no public exploit has been identified at time of analysis. CVSS 4.0 base score is 8.2 driven by high availability impact to both the vulnerable component and downstream RPKI consumers.

Technical ContextAI

Routinator is NLnet Labs' RPKI (Resource Public Key Infrastructure) Relying Party validator written in Rust, responsible for fetching and validating ROAs used by routers and route servers to make BGP origin-validation decisions. The bug is rooted in CWE-20 (Improper Input Validation): the /api/v1/origins endpoint accepts a select-asn query parameter but does not safely handle byte sequences that are not valid UTF-8, causing the process to panic and terminate. Because RPKI validation feeds downstream BGP routers via RTR, an outage of the validator can degrade ROV decisions for every router relying on this instance, which is reflected in the CVSS Subsequent System Availability (SA:H) metric.

RemediationAI

Vendor-released patch: Routinator 0.15.2 - upgrade immediately per the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49234.txt. Until the upgrade can be applied, restrict access to the HTTP API by binding it to localhost only or placing it behind a reverse proxy/firewall ACL that permits only trusted management hosts; specifically block external reachability of /api/v1/origins. As an additional compensating control, front the endpoint with a proxy that validates query parameters as UTF-8 before forwarding, accepting the trade-off that legitimate ASN selection requests must still pass through unchanged. Monitor the Routinator process for unexpected restarts and configure a supervisor (systemd Restart=on-failure) so an exploitation attempt produces a brief blip rather than a sustained validator outage, with the side effect that repeated crashes may mask attack activity in logs.

CVE-2020-17366 HIGH POC
7.4 Aug 05

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability

CVE-2026-49235 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Docu

CVE-2026-49232 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg

CVE-2026-49233 HIGH
8.3 Jun 08

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync U

CVE-2024-1622 HIGH
7.5 Feb 26

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q

CVE-2023-39915 HIGH
7.5 Sep 13

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.

CVE-2022-3029 HIGH
7.5 Sep 13

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and

CVE-2021-43174 HIGH
7.5 Nov 09

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r

CVE-2021-43173 HIGH
7.5 Nov 09

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans

CVE-2021-43172 HIGH
7.5 Nov 09

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne

CVE-2021-41531 HIGH
7.5 Sep 21

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length

CVE-2023-39916 MEDIUM
6.5 Sep 13

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible

Share

CVE-2026-49234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy