Access Control Bypass in @koa/router Affects Koa.js Framework
CVE-2026-9495

6.9MEDIUM

Key Information:

Vendor: Koa.js
Status: @koa/router
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-9495?

Versions of the @koa/router package up to 14.0.0 are prone to an Access Control Bypass vulnerability. This occurs when middleware is inadvertently excluded from the execution stack when path parameters are included in the router prefix. This oversight can allow attackers to circumvent crucial security mechanisms, potentially leading to unauthorized access, evading rate limits, or bypassing input sanitization measures that would normally protect an application.

Affected Version(s)

@koa/router 14.0.0 < 15.0.0

References

https://security.snyk.io/vuln/SNYK-JS-KOAROUTER-12215044

https://github.com/koajs/router/issues/202

https://github.com/koajs/router/pull/206

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 25, 2026

Credit

Ryan Mitchell

CVE-2026-9495 Data

JSON