CVE-2026-55641

Decolua · 9Router

9Router is vulnerable to multiple security flaws, including authentication bypass and server-side request forgery (SSRF), allowing unauthenticated remote attackers to compromise the system.

Executive summary

The Decolua 9Router AI tool is affected by critical vulnerabilities, including authentication bypass and SSRF, which could allow an unauthenticated attacker to gain unauthorized access.

Vulnerability

This vulnerability consists of an authentication bypass via spoofing and a Server-Side Request Forgery (SSRF) flaw, which can be triggered by an unauthenticated remote attacker with low complexity.

Business impact

Successful exploitation of these vulnerabilities allows for unauthorized access to internal resources and potential information disclosure. With a CVSS score of 8.2, this high-severity flaw poses a significant risk to the integrity and confidentiality of the host environment and any connected AI token services.

Remediation

Immediate Action: Upgrade to version 0.5.2 or later immediately to resolve the identified security weaknesses.

Proactive Monitoring: Monitor network traffic for unexpected outbound requests originating from the 9Router instance, which may indicate active SSRF exploitation.

Compensating Controls: Implement strict egress filtering on the host machine to prevent the software from making unauthorized connections to internal or sensitive external services.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The combination of authentication bypass and SSRF presents a severe risk to any environment hosting 9Router. Administrators must prioritize updating to version 0.5.2 to eliminate these vectors and prevent potential unauthorized access to sensitive system data.