Description
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Upgrade
AI Analysis

Impact

An unauthorized API call in decolua 9router up to version 0.3.47 permits a malicious actor to bypass authentication controls and obtain administrative privileges without supplying valid credentials. The flaw originates from an improper authorization check in a component of the /api administrative endpoint. The vulnerability can be exploited remotely by sending specially crafted HTTP requests, potentially enabling attackers to modify router configuration, access confidential data, or disrupt network services.

Affected Systems

The vulnerable entries affect decolua 9router router firmware, specifically the Administrative API Endpoint component. Any appliance running firmware version 0.3.47 or earlier is susceptible. Firmware upgrade to version 0.3.75 or later removes the flaw, making the device secure against this bypass.

Risk and Exploitability

The CVSS base score of 6.9 reflects moderate severity, yet the scenario is realistic and convenient for attackers. No EPSS data is available, and the issue is not in CISA KEV, but publicly available exploit code confirms that remote exploitation can be achieved quickly. Because the attack can be performed from outside the local network by targeting the exposed API endpoint, the risk to organizations remains high until the firmware is updated or the endpoint is isolated with network controls.

Generated by OpenCVE AI on April 9, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade decolua 9router firmware to version 0.3.75 or later.
  • Verify the firmware version on each device to confirm the upgrade succeeded.
  • If an upgrade cannot be performed immediately, restrict external access to the administrative API endpoint using firewall rules or network segmentation.

Generated by OpenCVE AI on April 9, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xrrh-p7f2-27vm decolua 9router vulnerable to authorization bypass
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Decolua
Decolua 9router
Vendors & Products Decolua
Decolua 9router

Thu, 09 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.
Title decolua 9router Administrative API Endpoint api authorization
Weaknesses CWE-285
CWE-639
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Decolua 9router
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T04:30:17.225Z

Reserved: 2026-04-08T17:43:46.180Z

Link: CVE-2026-5842

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T05:16:06.380

Modified: 2026-04-09T05:16:06.380

Link: CVE-2026-5842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:58Z

Weaknesses