CVE-2026-55638

decolua · 9router

9Router is affected by missing and incorrect authorization vulnerabilities, enabling unauthorized access to critical functions.

Executive summary

Missing and incorrect authorization flaws in 9Router versions prior to 0.5.2 expose the system to unauthorized access and potential service disruption.

Vulnerability

The software fails to properly implement authorization checks, allowing an unauthenticated remote attacker to gain unauthorized access to protected functions or manipulate system state.

Business impact

This vulnerability allows unauthenticated users to perform actions that should be restricted, potentially leading to unauthorized data access or service disruption. With a CVSS score of 8.6, the vulnerability represents a significant risk to the integrity and availability of the 9Router deployment.

Remediation

Immediate Action: Upgrade to 9Router version 0.5.2 or later to resolve the authorization logic flaws.

Proactive Monitoring: Review application logs for unauthorized attempts to access restricted API endpoints or administrative routes.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter out suspicious requests and enforce access control policies at the network edge.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The presence of authorization vulnerabilities in a router/token saver product is critical. Administrators should apply the 0.5.2 update immediately to restore proper access controls and prevent unauthorized manipulation of the service.