CVE-2026-46339
decolua · 9router
9Router contains an authentication bypass vulnerability allowing unauthenticated remote command execution via unprotected API endpoints.
Executive summary
The 9Router AI router software is affected by a critical vulnerability that permits unauthenticated attackers to execute arbitrary system commands, leading to full remote control.
Vulnerability
This vulnerability involves missing authentication checks in the middleware for specific API routes, which allows an unauthenticated attacker to perform command injection via the MCP bridge or register custom plugins.
Business impact
Successful exploitation of this flaw grants an attacker full command execution capabilities on the host system. Given the CVSS score of 10.0, this represents a maximum severity risk that could result in total system compromise, data exfiltration, or the deployment of persistent malware within the network environment.
Remediation
Immediate Action: Update the 9router installation to version 0.4.37 or later immediately to resolve the authentication and command injection vulnerabilities.
Proactive Monitoring: Monitor system logs for unauthorized API requests targeting the /api/cli-tools/ or /api/mcp/ endpoints.
Compensating Controls: Deploy a Web Application Firewall (WAF) to block unauthorized access to the affected API paths until the update can be applied.
Exploitation status
Public Exploit Available: No (only a Nuclei detection template exists).
Analyst recommendation
This vulnerability presents a critical threat due to the ease of access and the severity of impact. Administrators must prioritize updating to version 0.4.37 immediately to prevent unauthorized remote command execution.