API Key Validation Vulnerability in 9Router AI Router by Decolua
CVE-2026-56678
6.4MEDIUM
What is CVE-2026-56678?
The 9Router, an AI-powered router by Decolua, has a security issue in its Kiro API-key validation endpoint. Before version 0.5.6, this vulnerability allows authenticated attackers to manipulate a user-controlled region value when making a POST request to /api/oauth/kiro/api-key. By submitting a crafted region such as kiro-canary.local:8443#, an attacker can redirect the Kiro validation request to their own host, thereby capturing sensitive information like the API key sent in the Authorization header. This issue has been addressed in the latest update.
Affected Version(s)
9router < 0.5.6
