Local Access Gate Vulnerability in 9Router by Decolua
CVE-2026-49353

7.5HIGH

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-49353?

In versions 0.4.45 and earlier, the 9Router’s src/dashboardGuard.js implemented a local-only access gate designed to secure various API endpoints such as /api/mcp/, /api/tunnel/, and /api/cli-tools/*. However, due to improper validation of Host and Origin headers in the isLocalRequest() function, the vulnerability allows attackers to spoof these headers, particularly in reverse proxy or tunnel configurations. This could potentially grant access to the MCP child process's stdin paths, posing significant security risks for users deploying 9Router in susceptible environments.

Affected Version(s)

9router <= 0.4.45

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.