Skip to main content

9Router CVE-2026-56676

| EUVDEUVD-2026-42929 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-07-10 GitHub_M
7.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
4.9 MEDIUM

Authenticated proxy user (PR:L) over the network; winning the DNS rebind race raises AC:H; SSRF pivots to internal systems (S:C) with limited read/write and no availability impact (A:N).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 17:01 EUVD
Analysis Generated
Jul 10, 2026 - 16:23 vuln.today

DescriptionCVE.org

9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2.

AnalysisAI

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to LLM proxy
Delivery
Submit vision request with attacker DNS image URL
Exploit
Validation resolves name to public IP
Execution
Fetch re-resolves, rebinds to internal IP
Persist
Server fetches internal-only service
Impact
Internal data returned via model

Vulnerability AssessmentAI

Exploitation Requires an authenticated user with access to the LLM proxy (PR:L) who can invoke a vision-capable model that accepts remote image URLs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, base 7.4 High) reflects a network-reachable, low-complexity attack requiring low-privilege authentication, with a scope change (S:C) capturing the pivot from the proxy into internal systems, and limited C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds valid credentials for the 9router LLM proxy sends a vision-model request whose image URL points to a hostname on their own authoritative DNS server. That name first resolves to a benign public IP so validation passes, then rebinds to 127.0.0.1 or an internal address on the fetch, causing the server to retrieve content from an internal-only HTTP service and disclose it back through the model pipeline. …
Remediation Vendor-released patch: upgrade 9router to version 0.5.2 or later (release https://github.com/decolua/9router/releases/tag/v0.5.2, fix commit c7d07448c58bec1200741de0b73305b860416b82, advisory GHSA-cmhj-wh2f-9cgx). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running 9Router and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-59801 CRITICAL POC
9.3 Jul 13

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential

CVE-2026-5842 MEDIUM POC
5.5 Apr 09

Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t

CVE-2026-62327 CRITICAL
9.3 Jul 13

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote

CVE-2026-62312 HIGH
8.8 Jul 15

Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the h

CVE-2026-62328 HIGH
8.7 Jul 13

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev

CVE-2026-56679 HIGH
8.7 Jul 15

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio

CVE-2026-55638 HIGH
8.6 Jul 10

Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect

CVE-2026-56675 HIGH
8.3 Jul 10

Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p

CVE-2026-55641 HIGH
8.2 Jul 10

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo

CVE-2026-56678 MEDIUM
6.4 Jul 15

Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir

CVE-2026-10269 MEDIUM
5.3 Jun 01

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW

Share

CVE-2026-56676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy