PatchSiren cyber security CVE debrief
CVE-2026-49352 decolua CVE debrief
CVE-2026-49352 is a critical vulnerability in 9Router, an AI router & token saver. A hardcoded fallback JWT secret was used from version 0.2.21 until 0.4.44, enabling attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue was fixed in version 0.4.44. The vulnerability allows for potential attacks on authentication mechanisms. Users of affected versions should apply the fix and review their authentication setup.
- Vendor
- decolua
- Product
- 9router
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of 9Router versions between 0.2.21 and 0.4.44 should apply the fix in version 0.4.44 to prevent potential attacks. This includes operators, platform administrators, vulnerability management teams, and security teams who need to review and update their authentication and authorization mechanisms.
Technical summary
The 9Router application, specifically versions 0.2.21 through 0.4.44, utilized a hardcoded fallback JWT secret (9router-default-secret-change-me) in multiple source files (src/app/api/auth/login/route.js, src/middleware.js, and src/lib/auth/dashboardSession.js). This insecure practice allowed attackers to forge an auth_token cookie when the JWT_SECRET environment variable was not set. The vulnerability was addressed in version 0.4.44. Users should review their authentication setup and apply the fix.
Defensive priority
High
Recommended defensive actions
- Upgrade to 9Router version 0.4.44 or later
- Verify and set a secure JWT_SECRET environment variable
- Monitor for suspicious auth_token cookie activity
- Review and update authentication and authorization mechanisms
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T21:16:53.743Z and last modified on 2026-07-16T19:16:49.870Z. The NVD entry is currently Deferred. The vulnerability affects 9Router versions between 0.2.21 and 0.4.44. Users should verify their deployments and apply the fix in version 0.4.44. Evidence limits suggest verifying auth_token cookie activity and reviewing authentication mechanisms.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:53.743Z and has not been modified since then. The NVD entry is currently Deferred.