CVE-2026-46339

decolua · 9router

9Router contains an authentication bypass vulnerability allowing unauthenticated remote command execution via unprotected API endpoints.

Executive summary

The 9Router AI router software is affected by a critical vulnerability that permits unauthenticated attackers to execute arbitrary system commands, leading to full remote control.

Vulnerability

This vulnerability involves missing authentication checks in the middleware for specific API routes, which allows an unauthenticated attacker to perform command injection via the MCP bridge or register custom plugins.

Business impact

Successful exploitation of this flaw grants an attacker full command execution capabilities on the host system. Given the CVSS score of 10.0, this represents a maximum severity risk that could result in total system compromise, data exfiltration, or the deployment of persistent malware within the network environment.

Remediation

Immediate Action: Update the 9router installation to version 0.4.37 or later immediately to resolve the authentication and command injection vulnerabilities.

Proactive Monitoring: Monitor system logs for unauthorized API requests targeting the /api/cli-tools/ or /api/mcp/ endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block unauthorized access to the affected API paths until the update can be applied.

Exploitation status

Public Exploit Available: No (only a Nuclei detection template exists).

Analyst recommendation

This vulnerability presents a critical threat due to the ease of access and the severity of impact. Administrators must prioritize updating to version 0.4.37 immediately to prevent unauthorized remote command execution.