CVE-2026-49352
decolua · 9router
9Router contains a hardcoded fallback JWT secret in its authentication routing and middleware, allowing unauthenticated attackers to forge authentication tokens.
Executive summary
A hardcoded authentication secret in the decolua 9router package allows unauthenticated attackers to bypass security controls and forge administrative tokens.
Vulnerability
This vulnerability involves the use of a hardcoded fallback JWT secret (9router-default-secret-change-me) within the application authentication logic. Because the vulnerability is present in the login routing and middleware, unauthenticated attackers can successfully forge authentication cookies if the primary JWT_SECRET environment variable is not explicitly set.
Business impact
The ability to forge authentication tokens grants an attacker complete unauthorized access to the application, effectively bypassing all authentication and authorization mechanisms. Given the CVSS score of 9.8, this represents a critical risk that could lead to full system compromise, data exfiltration, or administrative account takeover, resulting in significant reputational and operational damage.
Remediation
Immediate Action: Update the decolua 9router package to version 0.4.44 or later immediately.
Proactive Monitoring: Review authentication logs for suspicious login patterns or unauthorized access attempts using unexpected session tokens.
Compensating Controls: Ensure the JWT_SECRET environment variable is explicitly and securely configured for all deployments to prevent the application from falling back to the hardcoded default.
Exploitation status
Public Exploit Available: Yes, a public proof-of-concept exists on GitHub.
Analyst recommendation
This is a critical security flaw that requires immediate attention. Organizations utilizing decolua 9router must upgrade to version 0.4.44 without delay to remove the hardcoded secret. Failure to patch will leave the authentication layer entirely exposed to trivial token forgery attacks.