API Access Bypass in 9Router by Decolua
CVE-2026-55638

8.6HIGH

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55638?

The vulnerability in 9Router allows remote unauthenticated attackers to bypass API key protections. Specifically, prior to version 0.5.2, the /codex endpoint was not properly secured, which let attackers make requests that could utilize sensitive operator-stored credentials. The flaw was addressed in version 0.5.2, ensuring better security for API interactions.

Affected Version(s)

9router < 0.5.2

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.