CVE-2026-49353
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Summary
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| decolua | 9router | <= 0.4.45 | affected |
Weaknesses
- CWE-290: CWE-290: Authentication Bypass by Spoofing
References
- https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf
- https://github.com/decolua/9router/commit/5e1c1261368e06dced1cbc650684561b2c8844db
- https://github.com/decolua/9router/commit/bb86808582067e4fc6f004508a919efb9970d1d5
- https://github.com/decolua/9router/releases/tag/v0.4.46
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.