CVE-2026-49352 in 9routerinfo

Summary

by MITRE • 07/16/2026

9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, and later src/lib/auth/dashboardSession.js, allowing attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue is fixed in version 0.4.44

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in 9Router versions 0.2.21 through 0.4.44 represents a critical security flaw involving the improper handling of authentication tokens within the application's backend services. This issue manifests as a hardcoded JWT secret value that remains unchanged across different deployments, creating a persistent weakness that can be exploited by malicious actors to gain unauthorized access to protected resources. The vulnerability affects multiple core authentication files including the login endpoint handler, middleware implementations, and dashboard session management components, indicating a systemic approach to authentication handling rather than isolated component failure.

The technical implementation of this flaw stems from the developers' decision to embed a default secret value directly within the source code without proper configuration management or environment variable support. When the JWT_SECRET environment variable is not properly set during deployment, the system automatically falls back to using the hardcoded value 9router-default-secret-change-me, which serves as a well-known credential that any attacker can leverage. This approach violates fundamental security principles regarding secret management and demonstrates a lack of proper input validation and secure configuration practices.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to forge authentication tokens that grant full access to protected dashboard functionalities and user sessions. The attack surface includes not only the login endpoint but also any subsequent authenticated routes that rely on the forged tokens for authorization checks. This creates a pathway for privilege escalation attacks where an attacker could potentially access sensitive data, modify system configurations, or perform administrative actions within the 9Router environment. The vulnerability aligns with CWE-798, which specifically addresses the use of hardcoded credentials in software applications.

Security practitioners should consider this issue in relation to ATT&CK framework techniques such as T1566 for credential access and T1078 for valid accounts usage. The vulnerability demonstrates a classic case of insecure credential storage where secrets are embedded within application code rather than being managed through proper configuration management systems. Organizations deploying 9Router should immediately verify their current versions and ensure that all installations have been updated to version 0.4.44 or later where the hardcoded secret has been removed from the codebase.

The mitigation strategy requires immediate implementation of proper environment variable configuration for JWT secrets, ensuring that all deployments use randomly generated, unique secret values rather than default configurations. Additionally, developers should implement proper error handling when environment variables are not set, rather than falling back to hardcoded values. This vulnerability serves as a reminder of the importance of following security best practices such as the principle of least privilege and secure configuration management, which are fundamental requirements in both NIST SP 800-53 and ISO/IEC 27001 standards for information security management. The fix implemented in version 0.4.44 addresses this by removing the hardcoded secret from the source code and requiring explicit configuration of authentication secrets during deployment.

Responsible

GitHub M

Reservation

05/29/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!