Description
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the isAuthenticated function of the HTTP Header Handler, where an attacker can manipulate the Host header to bypass authentication. This allows an unauthenticated user to gain access to the dashboard component, potentially exposing sensitive configuration information. The weakness corresponds to improper authorization (CWE-266 and CWE-285).

Affected Systems

All installations of decolua 9router version 0.4.0 or earlier are vulnerable. The issue is limited to the dashboardGuard module in the HTTP Header Handler. A fix is available in release 0.4.1, which includes commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not widely exploited yet. Exploitation requires making a remote HTTP request to a target running the vulnerable component with a crafted Host header. No local privileges are necessary, and the attack can be performed from any network accessible to the server.

Generated by OpenCVE AI on June 1, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 9router component to version 0.4.1 or later, ensuring the patch commit is applied
  • Disable or tightly validate the Host header on the web server to prevent manipulation
  • Confirm that authentication checks remain active when requests originate from trusted network sources
  • Document the change and verify that the dashboard remains protected by proper authentication

Generated by OpenCVE AI on June 1, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
Title decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization
First Time appeared Decolua
Decolua 9router
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*
Vendors & Products Decolua
Decolua 9router
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Decolua 9router
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T15:15:09.660Z

Reserved: 2026-05-31T14:09:33.434Z

Link: CVE-2026-10269

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:16:43.097

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-10269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:30:06Z

Weaknesses