Skip to main content

9Router CVE-2026-56678

| EUVDEUVD-2026-44813 MEDIUM
Improper Input Validation (CWE-20)
2026-07-15 GitHub_M
6.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-reachable endpoint, low complexity; PR:L because valid account required; S:C for out-of-scope credential exfiltration; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 22:33 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 21:16 vuln.today
Analysis Generated
Jul 15, 2026 - 21:16 vuln.today

DescriptionCVE.org

9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authenticated attacker to supply a crafted region such as kiro-canary.local:8443

and cause 9Router to send the Kiro validation request to an attacker-controlled host while forwarding the submitted Kiro API key as an Authorization header. This issue is fixed in version 0.5.6.

AnalysisAI

Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redirect outbound validation requests to an attacker-controlled host, exfiltrating the submitted Kiro API key via the Authorization header. Affected are all 9Router deployments prior to version 0.5.6 where the Kiro OAuth provider is configured. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to 9Router with low-privilege credentials
Delivery
POST /api/oauth/kiro/api-key with crafted region containing '#' fragment
Exploit
9Router interpolates region into upstream OIDC URL without validation
Execution
Outbound HTTP request routes to attacker-controlled server
Impact
Attacker captures Kiro API key from Authorization header

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege 9Router account - the CVSS vector confirms PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N is consistent with the described attack: low-complexity network exploitation requiring only low-privilege authentication, with a scope change affecting the downstream Kiro service through API key theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated 9Router user sends a POST request to /api/oauth/kiro/api-key with a crafted region value such as 'attacker.example.com:8443#', causing 9Router to build the URL https://oidc.attacker.example.com:8443#.amazonaws.com/token and issue an outbound validation request with the victim's Kiro API key in the Authorization header to the attacker's listener. No public exploit code was identified at time of analysis, but the technique requires only standard HTTP tooling given the low complexity of the URL fragment injection.
Remediation Upgrade to 9Router v0.5.6, which introduces an AWS region allowlist regex (/^[a-z]{2}-[a-z]+-\d{1,2}$/) via the assertValidAwsRegion() function applied across all region interpolation points in KiroService and related providers, preventing arbitrary host injection. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-59801 CRITICAL POC
9.3 Jul 13

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential

CVE-2026-5842 MEDIUM POC
5.5 Apr 09

Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t

CVE-2026-62327 CRITICAL
9.3 Jul 13

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote

CVE-2026-62312 HIGH
8.8 Jul 15

Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the h

CVE-2026-62328 HIGH
8.7 Jul 13

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev

CVE-2026-56679 HIGH
8.7 Jul 15

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio

CVE-2026-55638 HIGH
8.6 Jul 10

Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect

CVE-2026-56675 HIGH
8.3 Jul 10

Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p

CVE-2026-55641 HIGH
8.2 Jul 10

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo

CVE-2026-56676 HIGH
7.4 Jul 10

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-prox

CVE-2026-10269 MEDIUM
5.3 Jun 01

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW

Share

CVE-2026-56678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy