Skip to main content

9Router CVE-2026-62312

| EUVDEUVD-2026-44814 HIGH
OS Command Injection (CWE-78)
2026-07-15 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable authenticated user (PR:L) chains a reliable Host-header bypass (AC:L) into host command execution, yielding full C/I/A impact with no user interaction.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 22:33 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 21:15 vuln.today
Analysis Generated
Jul 15, 2026 - 21:15 vuln.today
CVE Published
Jul 15, 2026 - 20:53 cve.org
HIGH 8.8

DescriptionCVE.org

9Router is an AI router & token saver. Prior to 0.5.2, 9Router allows a remote authenticated attacker to achieve arbitrary code execution on the host operating system by combining a Host header bypass of localhost-only routes with unvalidated MCP plugin args passed to child_process.spawn(), allowing malicious custom plugins to execute commands through /api/mcp//sse. This issue is fixed in version 0.5.2.

AnalysisAI

Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the host by chaining a Host-header spoof (to reach routes that are supposed to be localhost-only) with unsanitized MCP plugin arguments that flow into child_process.spawn() via the /api/mcp//sse endpoint. Rated CVSS 8.8 (CWE-78, OS command injection), it is fixed in 0.5.2; no public exploit or CISA KEV listing exists at time of analysis, though a vendor advisory and fix commit are published.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to 9Router (PR:L)
Delivery
Spoof Host/forwarding header to pass localhost-only guard
Exploit
Reach /api/mcp//sse plugin route
Execution
Supply malicious custom MCP plugin args
Persist
child_process.spawn() executes injected command
Impact
Arbitrary code execution on host

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an authenticated low-privileged session to 9Router (CVSS PR:L), (2) the ability to define or influence a custom MCP plugin whose arguments reach child_process.spawn(), and (3) a deployment where 9Router sits behind a reverse proxy so that the loopback/localhost-only guard can be defeated with attacker-supplied forwarding/Host headers to reach the /api/mcp//sse route. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8 High) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full confidentiality/integrity/availability impact - consistent with host RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privileged authenticated session to a proxy-fronted 9Router sends a request to /api/mcp//sse with a spoofed Host/forwarding header so the localhost-only guard treats it as loopback traffic. They then supply a malicious custom MCP plugin whose arguments embed shell metacharacters, which 9Router passes into child_process.spawn(), executing arbitrary commands on the host OS. …
Remediation Vendor-released patch: upgrade to 9Router 0.5.2 (https://github.com/decolua/9router/releases/tag/v0.5.2), which corrects the loopback-trust logic - the fix commit da667836cc7584bea0edd893de1d590c9ea279dc stamps an x-9r-via-proxy header when x-forwarded-for or x-real-ip are present and makes dashboardGuard.js treat such proxied requests as non-local, closing the Host-header bypass. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit your environment to identify all 9Router instances and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-59801 CRITICAL POC
9.3 Jul 13

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential

CVE-2026-5842 MEDIUM POC
5.5 Apr 09

Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t

CVE-2026-62327 CRITICAL
9.3 Jul 13

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote

CVE-2026-62328 HIGH
8.7 Jul 13

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev

CVE-2026-56679 HIGH
8.7 Jul 15

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio

CVE-2026-55638 HIGH
8.6 Jul 10

Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect

CVE-2026-56675 HIGH
8.3 Jul 10

Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p

CVE-2026-55641 HIGH
8.2 Jul 10

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo

CVE-2026-56676 HIGH
7.4 Jul 10

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-prox

CVE-2026-56678 MEDIUM
6.4 Jul 15

Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir

CVE-2026-10269 MEDIUM
5.3 Jun 01

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW

Share

CVE-2026-62312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy