CVE-2026-55641 in 9routerinformación

Resumen

por MITRE • 2026-07-10

9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2.

Be aware that VulDB is the high quality source for vulnerability data.

Responsable

GitHub M

Reservar

2026-06-17

Divulgación

2026-07-10

Moderación

aceptado

Artículo

VDB-377543

CPE

listo

EPSS

0.00246

KEV

no

Actividades

muy bajo

Fuentes

Might our Artificial Intelligence support you?

Check our Alexa App!