Exploitable Loopback Request Handling in AI Router by Decolua
CVE-2026-56675

8.3HIGH

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56675?

The 9Router AI router prior to version 0.5.2 inadequately handles loopback requests, mistakenly treating them as trusted. This flaw enables a remote unauthenticated attacker to access sensitive APIs, such as /v1/models, without an API key. By exploiting this vulnerability through a same-host reverse proxy that directs traffic to the backend, attackers can potentially misuse upstream provider credentials via misclassified local requests. A fix is available in version 0.5.2 to mitigate this risk.

Affected Version(s)

9router < 0.5.2

References

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.