Security Flaw in 9Router AI Router's Login Rate Limiting Mechanism
CVE-2026-55501
7.3HIGH
What is CVE-2026-55501?
The 9Router AI router suffers from a significant security flaw where the login rate limiter fails to reliably derive client identity due to the use of the attacker-controlled X-Forwarded-For HTTP header. This vulnerability allows remote attackers to manipulate their IP address on each login attempt, bypassing the established limit of five attempts and lockout durations. Consequently, they can execute unlimited brute-force attempts on the dashboard password, posing a severe security risk. This issue has been addressed in version 0.4.80, which includes preventative measures against such circumvention.
Affected Version(s)
9router < 0.4.80
