PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55501 decolua CVE debrief

CVE-2026-55501 is a HIGH severity vulnerability in 9Router, an AI router & token saver. The dashboard login rate limiter can be bypassed due to improper client identity derivation from the attacker-controlled X-Forwarded-For HTTP header. This allows a remote attacker to perform unlimited brute-force attempts against the dashboard password. The issue is fixed in version 0.4.80. Affected organizations should prioritize updating to the latest version to prevent potential attacks.

Vendor
decolua
Product
9router
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of 9Router versions prior to 0.4.80 should apply the patch to prevent potential brute-force attacks on the dashboard password. This includes operators, administrators, and security teams responsible for managing and securing 9Router deployments. Affected organizations should review their current configurations and update to version 0.4.80 or later to mitigate the vulnerability.

Technical summary

The dashboard login rate limiter in 9Router's src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. This value is then used in src/app/api/auth/login/route.js for checkLock and recordFail. An attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypassing the 5-attempt threshold and progressive lockout durations. This allows for unlimited brute-force attempts against the dashboard password. The issue is fixed in version 0.4.80 of 9Router.

Defensive priority

High priority should be given to updating 9Router to version 0.4.80 or later to prevent potential brute-force attacks. Organizations should also consider implementing additional security controls, such as monitoring and alternative authentication methods, to further protect against this vulnerability.

Recommended defensive actions

  • Update 9Router to version 0.4.80 or later
  • Implement additional monitoring for brute-force attempts against the dashboard password
  • Consider using alternative authentication methods or additional security controls
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T16:16:33.493Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The issue is fixed in version 0.4.80 of 9Router. Evidence limits suggest that additional details may be required to fully understand the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T16:16:33.493Z and has not been modified since then. The NVD entry is currently Deferred.