Security Flaw in 9Router AI Router's Login Rate Limiting Mechanism
CVE-2026-55501

7.3HIGH

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55501?

The 9Router AI router suffers from a significant security flaw where the login rate limiter fails to reliably derive client identity due to the use of the attacker-controlled X-Forwarded-For HTTP header. This vulnerability allows remote attackers to manipulate their IP address on each login attempt, bypassing the established limit of five attempts and lockout durations. Consequently, they can execute unlimited brute-force attempts on the dashboard password, posing a severe security risk. This issue has been addressed in version 0.4.80, which includes preventative measures against such circumvention.

Affected Version(s)

9router < 0.4.80

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.