Local Access Gate Vulnerability in 9Router by Decolua
CVE-2026-49353
7.5HIGH
What is CVE-2026-49353?
In versions 0.4.45 and earlier, the 9Router’s src/dashboardGuard.js implemented a local-only access gate designed to secure various API endpoints such as /api/mcp/, /api/tunnel/, and /api/cli-tools/*. However, due to improper validation of Host and Origin headers in the isLocalRequest() function, the vulnerability allows attackers to spoof these headers, particularly in reverse proxy or tunnel configurations. This could potentially grant access to the MCP child process's stdin paths, posing significant security risks for users deploying 9Router in susceptible environments.
Affected Version(s)
9router <= 0.4.45
