Skip to main content

9Router EUVD-2026-20853

| CVE-2026-5842 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-09 VulDB
Authentication Bypass 9Router
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 09, 2026 - 05:16 vuln.today
Public exploit code
EUVD ID Assigned
Apr 09, 2026 - 05:15 euvd
EUVD-2026-20853
Analysis Generated
Apr 09, 2026 - 05:15 vuln.today
Patch released
Apr 09, 2026 - 05:15 nvd
Patch available
CVE Published
Apr 09, 2026 - 04:30 nvd
MEDIUM 6.9

DescriptionCVE.org

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.

AnalysisAI

Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access the Administrative API Endpoint (/api) without proper credentials, potentially exposing sensitive functionality. The vulnerability has publicly available exploit code and vendor-released patch version 0.3.75 is available, reducing real-world risk for patched deployments but creating urgency for unpatched instances given active public disclosures.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents moderate real-world risk despite a CVSS score of 6.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the internet discovers a decolua 9router instance with version 0.3.47 or earlier running on a network-accessible IP address. The attacker uses publicly available exploit code from https://github.com/deepcat1337/Free_Api_Exploit/tree/main to send a crafted HTTP request to the /api endpoint, bypassing authorization checks and gaining access to administrative functions such as configuration retrieval, user enumeration, or system parameter modification. …
Remediation Vendor-released patch: upgrade decolua 9router to version 0.3.75 or later, available at https://github.com/decolua/9router/releases/tag/v0.3.75. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-20853 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy