CVE-2026-49353
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
15/07/2026
Última modificación:
16/07/2026
Descripción
*** Pendiente de traducción *** 9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/decolua/9router/commit/5e1c1261368e06dced1cbc650684561b2c8844db
- https://github.com/decolua/9router/commit/bb86808582067e4fc6f004508a919efb9970d1d5
- https://github.com/decolua/9router/releases/tag/v0.4.46
- https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf
- https://github.com/decolua/9router/security/advisories/GHSA-6g2f-w7g3-77vf



