PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56675 decolua CVE debrief

CVE-2026-56675 is a security vulnerability in 9Router, an AI router & token saver. Prior to version 0.5.2, 9router misclassifies external requests as local due to treating loopback requests as trusted, allowing /v1/* access without an API key. This issue is fixed in version 0.5.2. The vulnerability has a high CVSS score of 8.3 and is classified as HIGH severity. Users of 9Router AI Router & Token Saver should be aware of this vulnerability and take steps to mitigate it.

Vendor
decolua
Product
9router
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of 9Router AI Router & Token Saver, especially those using versions prior to 0.5.2, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 0.5.2 or later, restricting access to /v1 APIs, and monitoring for suspicious activity. Security teams and operators should review the vulnerability and implement compensating controls if necessary.

Technical summary

The vulnerability in 9Router AI Router & Token Saver allows remote unauthenticated attackers to access /v1 APIs such as /v1/models and potentially abuse configured upstream provider credentials through /v1 proxy endpoints. This is due to the router treating loopback requests as trusted and allowing /v1/* access without an API key. The issue has been fixed in version 0.5.2. Affected users should upgrade to the latest version and restrict access to /v1 APIs.

Defensive priority

High

Recommended defensive actions

  • Upgrade to 9Router version 0.5.2 or later
  • Restrict access to /v1 APIs
  • Monitor for suspicious activity
  • Use API keys for authentication
  • Review compensating controls for exposed systems
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-07-10T17:17:01.070Z and last modified on 2026-07-10T17:35:11.103Z. The NVD entry is currently Deferred. This vulnerability affects 9Router AI Router & Token Saver, specifically versions prior to 0.5.2. The vulnerability allows remote unauthenticated attackers to access /v1 APIs and potentially abuse configured upstream provider credentials. Evidence of exploitation is limited, and defenders should verify affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:01.070Z and has not been modified since then. The NVD entry is currently Deferred.