PT-2026-57222 · 9Router · 9Router

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-56675

CVSS v3.1

8.3

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.5.2
Description 9Router treats loopback requests as trusted, allowing access to the /v1/* endpoints without an API key. When a same-host reverse proxy forwards public traffic to the backend via 127.0.0.1, the dashboardGuard.js function misclassifies external requests as local. This allows a remote unauthenticated attacker to access APIs such as /v1/models and potentially abuse configured upstream provider credentials through /v1 proxy endpoints, depending on the enabled providers.
Recommendations Update to version 0.5.2.

Fix

Authentication Bypass by Spoofing

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56675

Affected Products

9Router