CVE-2026-49353
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/07/2026
Last modified:
16/07/2026
Description
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/decolua/9router/commit/5e1c1261368e06dced1cbc650684561b2c8844db
- https://github.com/decolua/9router/commit/bb86808582067e4fc6f004508a919efb9970d1d5
- https://github.com/decolua/9router/releases/tag/v0.4.46
- https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf
- https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf



