CVE-2026-56676

decolua · 9router

The 9router AI router and token saver contains vulnerabilities involving TOCTOU race conditions and Server-Side Request Forgery (SSRF) that can be exploited by authenticated users.

Executive summary

9router contains race condition and SSRF vulnerabilities that could allow an authenticated user to perform unauthorized actions or pivot through the network.

Vulnerability

This vulnerability involves a Time-of-check Time-of-use (TOCTOU) race condition and Server-Side Request Forgery (SSRF) flaws. The attacker must have a low level of privileges to trigger these conditions, which can lead to unauthorized request execution or state manipulation within the software.

Business impact

With a CVSS score of 7.4, this vulnerability poses a high risk to the confidentiality and integrity of the AI routing infrastructure. A successful exploit could allow an attacker to bypass security checks or use the router to perform requests against internal resources, potentially leading to unauthorized data access or service disruption.

Remediation

Immediate Action: Update the 9router software to version 0.5.2 or later to include the necessary security fixes.

Proactive Monitoring: Review application and system logs for unexpected outbound requests originating from the 9router service that may indicate SSRF attempts.

Compensating Controls: Ensure that the 9router service is running with the least privilege necessary and use egress filtering to prevent the application from making unauthorized requests to internal network segments.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Users of the 9router software should update to version 0.5.2 immediately. Given the nature of SSRF and race condition flaws, rapid patching is essential to prevent internal network exploitation by authenticated actors.