Description
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-6g2f-w7g3-77vf | 9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING |
References
History
Wed, 15 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | 9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths. | |
| Title | 9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING | |
| Weaknesses | CWE-290 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T20:49:15.693Z
Reserved: 2026-05-29T14:35:45.903Z
Link: CVE-2026-49353
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-290
Authentication Bypass by Spoofing
Github GHSA