CVE-2026-55501 in 9routerinfo

Zusammenfassung

von MITRE • 10.07.2026

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Zuständig

GitHub M

Reservieren

17.06.2026

Veröffentlichung

10.07.2026

Moderieren

akzeptiert

Eintrag

VDB-377523

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!