PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55641 decolua CVE debrief

CVE-2026-55641 is a HIGH severity vulnerability in 9Router, an AI router & token saver. The vulnerability allows a remote unauthenticated attacker to bypass API-key authentication by sending a crafted Host header, exposing /v1 proxy to upstream provider calls using stored provider credentials. This issue is fixed in version 0.5.2. Affected product deployments should be reviewed for exposure and updated to prevent unauthorized access.

Vendor
decolua
Product
9router
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of 9Router AI router & token saver versions prior to 0.5.2 should update to the latest version to prevent unauthorized access. Security teams should review affected deployments, monitor for suspicious activity, and restrict access to /v1 LLM proxy requests. Vulnerability management and platform security teams should prioritize updates and compensating controls for exposed systems.

Technical summary

CVE-2026-55641 allows a remote unauthenticated attacker to bypass API-key authentication in 9Router by manipulating the Host header. This exposes the /v1 proxy to internal or cloud-metadata hosts using stored provider credentials. The vulnerability is fixed in version 0.5.2. Users should update to prevent unauthorized access and review /v1/search with searxng provider_options.baseUrl parameter for potential server-side request forgery.

Defensive priority

High priority for 9Router users to update to version 0.5.2 or later and review exposure.

Recommended defensive actions

  • Update 9Router to version 0.5.2 or later
  • Review and restrict access to /v1 LLM proxy requests
  • Monitor for suspicious activity on /v1/search with searxng provider_options.baseUrl parameter
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T17:16:59.330Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to CVE.org and NVD details. Defenders should verify affected 9Router deployments and review official advisories for scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:16:59.330Z and has not been modified since then.