Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-6g2f-w7g3-77vf | 9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Decolua
Decolua 9router |
|
| Vendors & Products |
Decolua
Decolua 9router |
Wed, 15 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | 9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths. | |
| Title | 9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING | |
| Weaknesses | CWE-290 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T15:12:31.230Z
Reserved: 2026-05-29T14:35:45.903Z
Link: CVE-2026-49353
Updated: 2026-07-16T14:49:51.029Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T23:30:04Z
Github GHSA