Remote Code Execution in 9Router AI Router
CVE-2026-55641
8.2HIGH
What is CVE-2026-55641?
Prior to version 0.5.2, 9Router, an AI router and token saver, allows a remote attacker to bypass API key authentication. This vulnerability arises when the device processes the client-controlled Host header incorrectly, permitting the attacker to craft requests with 'Host: localhost'. Consequently, it enables unauthorized access to the /v1 proxy, which can expose stored provider credentials and facilitate server-based requests to internal or cloud metadata hosts. Users should upgrade to version 0.5.2 to mitigate this risk.
Affected Version(s)
9router < 0.5.2
