CVE-2026-56678
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
15/07/2026
Última modificación:
16/07/2026
Descripción
*** Pendiente de traducción *** 9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authenticated attacker to supply a crafted region such as kiro-canary.local:8443# and cause 9Router to send the Kiro validation request to an attacker-controlled host while forwarding the submitted Kiro API key as an Authorization header. This issue is fixed in version 0.5.6.
Impacto
Puntuación base 3.x
6.40
Gravedad 3.x
MEDIA



