CVE-2026-9371 ItzCrazyKns CVE debrief

Who should care

Organizations running ItzCrazyKns Vane versions up to 1.12.1 with exposed API endpoints; security teams monitoring for authentication bypass vulnerabilities in open-source search/AI tools; developers evaluating Vane for production deployments requiring authenticated access controls.

Technical summary

The vulnerability exists in the route.ts file of Vane's API component, where authentication checks are absent for certain functionality. The attack vector is network-based with no required privileges or user interaction. Attack complexity is high, indicating specific conditions or timing requirements for successful exploitation. Impact is limited across confidentiality, integrity, and availability dimensions (all rated LOW). The exploit has been publicly disclosed, though the difficult exploitation rating suggests it may require specialized knowledge or tooling. Basic authentication is noted as planned but not yet implemented in affected versions.

Defensive priority

medium

Recommended defensive actions

• Review authentication requirements for all API endpoints in Vane deployments, particularly route.ts
• Monitor for unauthorized API access attempts in application logs
• Implement network-level access controls (IP allowlisting, VPN requirements) as compensating control until patch available
• Subscribe to ItzCrazyKns/Vane repository notifications for security updates
• Evaluate temporary basic authentication implementation if maintaining affected versions
• Assess API exposure to untrusted networks and restrict where possible

Evidence notes

Vulnerability reported through Vuldb with GitHub issue references indicating community awareness. CVE published 2026-05-24, modified 2026-05-26. CVSS 4.0 vector confirms network attack vector with high attack complexity. CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function) identified as primary weaknesses.

Official resources