API Key Validation Vulnerability in 9Router AI Router by Decolua
CVE-2026-56678

6.4MEDIUM

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-56678?

The 9Router, an AI-powered router by Decolua, has a security issue in its Kiro API-key validation endpoint. Before version 0.5.6, this vulnerability allows authenticated attackers to manipulate a user-controlled region value when making a POST request to /api/oauth/kiro/api-key. By submitting a crafted region such as kiro-canary.local:8443#, an attacker can redirect the Kiro validation request to their own host, thereby capturing sensitive information like the API key sent in the Authorization header. This issue has been addressed in the latest update.

Affected Version(s)

9router < 0.5.6

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.