CVE-2026-49352
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, and later src/lib/auth/dashboardSession.js, allowing attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue is fixed in version 0.4.44
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| decolua | 9router | >= 0.2.21, < 0.4.44 | affected |
Weaknesses
- CWE-798: CWE-798: Use of Hard-coded Credentials
References
- https://github.com/decolua/9router/security/advisories/GHSA-jphh-m39h-6gwx
- https://github.com/decolua/9router/commit/fe3ce25ae3cda48c0702c2d452e17f6ec214009d
- https://github.com/decolua/9router/releases/tag/v0.4.44
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.