PT-2026-57222 · 9Router · 9Router
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-56675
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
9Router versions prior to 0.5.2
Description
9Router treats loopback requests as trusted, allowing access to the
/v1/* endpoints without an API key. When a same-host reverse proxy forwards public traffic to the backend via 127.0.0.1, the dashboardGuard.js function misclassifies external requests as local. This allows a remote unauthenticated attacker to access APIs such as /v1/models and potentially abuse configured upstream provider credentials through /v1 proxy endpoints, depending on the enabled providers.Recommendations
Update to version 0.5.2.
Fix
Authentication Bypass by Spoofing
Missing Authentication
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
9Router