PatchSiren cyber security CVE debrief
CVE-2026-56678 decolua CVE debrief
CVE-2026-56678 is a vulnerability in 9Router, an AI router & token saver. Prior to version 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key was vulnerable to a user-controlled region value, allowing an authenticated attacker to supply a crafted region and cause 9Router to send the Kiro validation request to an attacker-controlled host while forwarding the submitted Kiro API key as an Authorization header. The issue is fixed in version 0.5.6. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity. The CVE record was published on 2026-07-15T21:16:55.430Z and has not been modified since then.
- Vendor
- decolua
- Product
- 9router
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of 9Router AI router & token saver versions prior to 0.5.6 should apply the patch to prevent potential attacks. This includes operators, administrators, and security teams responsible for managing and securing 9Router deployments. Additionally, vulnerability management teams should review the CVE record and official advisory to assess the impact on their organization and plan for remediation.
Technical summary
The Kiro API-key validation endpoint in 9Router AI router & token saver builds an upstream URL using a user-controlled region value. This allows an authenticated attacker to supply a crafted region, such as kiro-canary.local:8443#, and cause 9Router to send the Kiro validation request to an attacker-controlled host while forwarding the submitted Kiro API key as an Authorization header. The issue is fixed in version 0.5.6. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity.
Defensive priority
Medium priority due to the CVSS score of 6.4 and the potential for an authenticated attacker to exploit the vulnerability.
Recommended defensive actions
- Apply the patch by upgrading to 9Router version 0.5.6 or later
- Restrict access to the Kiro API-key validation endpoint
- Monitor for suspicious activity on the network
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-15T21:16:55.430Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Kiro API-key validation endpoint issue allows an authenticated attacker to supply a crafted region value, causing 9Router to send the Kiro validation request to an attacker-controlled host while forwarding the submitted Kiro API key as an Authorization header. The issue is fixed in version 0.5.6. However, the CVE record does not provide detailed information about the vulnerability, and defenders should review the official advisory for more information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:55.430Z and has not been modified since then.