Improper Authorization in Decolua 9router HTTP Header by Decolua
CVE-2026-10269

5.3MEDIUM

Key Information:

Vendor

Decolua

Status
9router
Vendor
CVE Published:
1 June 2026

What is CVE-2026-10269?

A security vulnerability affecting Decolua's 9router up to version 0.4.0 has been identified. Specifically, the flaw lies in the isAuthenticated function within the src/dashboardGuard.js file of the HTTP Header Handler component. A remote attacker could exploit this vulnerability by manipulating the argument Host, leading to unauthorized access. It is crucial for users to upgrade to version 0.4.1 of the product to mitigate this risk, as it includes the necessary patch identified by commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca.

Affected Version(s)

9router 0.1

9router 0.2

9router 0.3

References

https://vuldb.com/vuln/367548
vdb-entrytechnical-description
https://vuldb.com/vuln/367548/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10269
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

brad (VulDB User)
.