CVE-2026-55638: 9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewr
9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-55638
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55638 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for 9Router is an
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-56675: 9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as tru…nvd · 2026-07-10
- highCVE-2026-55641: 9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM pr…nvd · 2026-07-10
- highCVE-2026-56676: 9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolvi…nvd · 2026-07-10
- highCVE-2026-55501: 9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in sr…nvd · 2026-07-10
- criticalCVE-2026-55500: 9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint al…nvd · 2026-07-10
- criticalCVE-2026-59800: 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated PO…nvd · 2026-07-07
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11