Description
9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole application, exposing protected routes such as /api/keys and /api/providers to unauthenticated access. This issue is reported as fixed in version 0.5.4.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Wed, 15 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | 9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole application, exposing protected routes such as /api/keys and /api/providers to unauthenticated access. This issue is reported as fixed in version 0.5.4. | |
| Title | 9Router: Mass assignment in PATCH /api/settings allows authenticated authorization downgrade | |
| Weaknesses | CWE-915 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T20:50:30.458Z
Reserved: 2026-06-22T16:39:01.044Z
Link: CVE-2026-56679
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes