CVE-2026-56679
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Summary
9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole application, exposing protected routes such as /api/keys and /api/providers to unauthenticated access. This issue is reported as fixed in version 0.5.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| decolua | 9router | < 0.5.4 | affected |
Weaknesses
- CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.