PatchSiren cyber security CVE debrief
CVE-2026-46339 decolua CVE debrief
The CVE record for CVE-2026-46339 was published on 2026-07-15T21:16:50.067Z and has not been modified since then. The NVD entry is currently Deferred. This critical vulnerability affects 9Router AI router & token saver versions 0.4.30 through 0.4.36, allowing unauthenticated registration of custom plugins and command execution through the MCP bridge. The vulnerability is fixed in version 0.4.37. Users of 9Router AI router & token saver versions 0.4.30 through 0.4.36 should be aware of this critical vulnerability and take necessary actions to mitigate the risk.
- Vendor
- decolua
- Product
- 9router
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of 9Router AI router & token saver versions 0.4.30 through 0.4.36 should be aware of this critical vulnerability and take necessary actions to mitigate the risk. Affected operator, platform, vulnerability-management, and security-team impact should be considered.
Technical summary
9Router AI router & token saver versions 0.4.30 through 0.4.36 have a critical vulnerability in src/proxy.js middleware, allowing unauthenticated registration of custom plugins and command execution through MCP bridge. This vulnerability is fixed in version 0.4.37. Affected product deployments should be confirmed in managed environments, and an owner should be assigned for follow-up. Official advisories or CVE records should be reviewed to validate affected scope, severity, and vendor guidance.
Defensive priority
High priority to update 9Router to version 0.4.37 or later and review compensating controls for exposed systems while remediation is scheduled and verified.
Recommended defensive actions
- Update 9Router to version 0.4.37 or later
- Review and restrict access to /api/cli-tools/* and /api/mcp/*
- Monitor for suspicious activity on 9Router instances
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
Evidence from official CVE and NVD records, as well as GitHub security advisories. The CVE record was published on 2026-07-15T21:16:50.067Z and has not been modified since then. The NVD entry is currently Deferred. Affected product deployments should be confirmed in managed environments, and an owner should be assigned for follow-up. Official advisories or CVE records should be reviewed to validate affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:50.067Z and has not been modified since then. The NVD entry is currently Deferred.