Exploitable Loopback Request Handling in AI Router by Decolua
CVE-2026-56675
8.3HIGH
What is CVE-2026-56675?
The 9Router AI router prior to version 0.5.2 inadequately handles loopback requests, mistakenly treating them as trusted. This flaw enables a remote unauthenticated attacker to access sensitive APIs, such as /v1/models, without an API key. By exploiting this vulnerability through a same-host reverse proxy that directs traffic to the backend, attackers can potentially misuse upstream provider credentials via misclassified local requests. A fix is available in version 0.5.2 to mitigate this risk.
Affected Version(s)
9router < 0.5.2
