CVE-2026-55501
decolua · 9router
9router fails to properly restrict excessive authentication attempts, potentially allowing attackers to conduct brute-force or credential-stuffing attacks against the system.
Executive summary
An improper restriction of authentication attempts in 9router could allow an unauthenticated attacker to brute-force system credentials.
Vulnerability
The application lacks adequate mechanisms to limit the rate or number of authentication attempts (CWE-307). This allows an unauthenticated attacker to submit repeated login attempts, significantly increasing the likelihood of successfully guessing valid credentials.
Business impact
The CVSS score of 7.3 reflects the high risk of account takeover via brute-force. Successful exploitation could lead to full unauthorized access to the router’s administrative functions, potentially resulting in complete compromise of the routing data and the AI token-saving configuration.
Remediation
Immediate Action: Update the 9router package to version 0.4.77 or later to implement the required authentication rate limiting.
Proactive Monitoring: Monitor authentication logs for high volumes of failed login attempts from single or distributed IP addresses.
Compensating Controls: Implement an external rate-limiting mechanism, such as an identity-aware proxy or a Web Application Firewall (WAF) rule, to block IPs showing suspicious authentication activity.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The availability of a proof-of-concept and the lack of native rate limiting make this a priority for remediation. Organizations should update to the patched version immediately to prevent automated credential-guessing attacks.