Remote Code Execution in 9Router AI Router
CVE-2026-55641

8.2HIGH

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55641?

Prior to version 0.5.2, 9Router, an AI router and token saver, allows a remote attacker to bypass API key authentication. This vulnerability arises when the device processes the client-controlled Host header incorrectly, permitting the attacker to craft requests with 'Host: localhost'. Consequently, it enables unauthorized access to the /v1 proxy, which can expose stored provider credentials and facilitate server-based requests to internal or cloud metadata hosts. Users should upgrade to version 0.5.2 to mitigate this risk.

Affected Version(s)

9router < 0.5.2

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.