PatchSiren cyber security CVE debrief
CVE-2026-10269 decolua CVE debrief
A medium-severity improper authorization vulnerability in decolua 9router's HTTP Header Handler allows remote attackers to bypass authentication by manipulating the Host header in requests to the isAuthenticated function within src/dashboardGuard.js. The flaw exists in versions up to and including 0.4.0. A fix is available in version 0.4.1 via commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. The vulnerability was published to CVE on June 1, 2026, and carries a CVSS score of 5.3. No known exploitation in ransomware campaigns has been documented.
- Vendor
- decolua
- Product
- 9router
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running decolua 9router versions 0.4.0 or earlier, particularly those exposing dashboard or administrative interfaces to network access. Security teams monitoring for authorization bypass vulnerabilities in Node.js/JavaScript applications and developers responsible for authentication middleware implementations.
Technical summary
The vulnerability resides in the isAuthenticated function within src/dashboardGuard.js of decolua 9router versions ≤0.4.0. The function improperly trusts or processes the HTTP Host header during authorization decisions, enabling remote attackers to manipulate this header to bypass authentication controls. The HTTP Header Handler component fails to validate or normalize the Host header before using it in security-critical logic. Remediation is achieved by upgrading to version 0.4.1, which incorporates commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. The CVSS 4.0 base vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) reflects network accessibility, low complexity, and low impacts across confidentiality, integrity, and availability dimensions.
Defensive priority
medium
Recommended defensive actions
- Upgrade decolua 9router to version 0.4.1 or later to remediate this vulnerability.
- Review and validate Host header handling in src/dashboardGuard.js, particularly within the isAuthenticated function, to ensure proper authorization checks are performed against trusted host values rather than client-supd
- Implement additional server-side validation of the Host header independent of client-provided values to prevent authorization bypass attacks.
- Monitor for anomalous requests with manipulated Host headers targeting dashboard or administrative endpoints as potential exploitation indicators.
- Apply principle of least privilege to dashboard and administrative interfaces, ensuring network-level access controls complement application-layer authentication.
Evidence notes
The vulnerability description identifies the affected component as the HTTP Header Handler in src/dashboardGuard.js, specifically the isAuthenticated function. The attack vector involves Host header manipulation leading to improper authorization (CWE-266, CWE-285). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges (PR:L in base, though description suggests unauthenticated access), and low impacts to confidentiality, integrity, and availability. The vendor attribution is marked low confidence with 'Unknown Vendor' and requires review, based on reference domain candidate evidence from Vuldb.
Official resources
public