Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10269

CVE-2026-10269: decolua 9router Auth Bypass Vulnerability

CVE-2026-10269 is an authentication bypass flaw in decolua 9router up to version 0.4.0 that allows remote attackers to circumvent authorization checks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10269 Overview

CVE-2026-10269 is an improper authorization vulnerability [CWE-266] in the decolua/9router project, affecting versions up to 0.4.0. The flaw resides in the isAuthenticated function within src/dashboardGuard.js, part of the HTTP Header Handler component. Attackers can manipulate the Host header to bypass authorization checks remotely without elevated privileges. The maintainers addressed the issue in version 0.4.1 through commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca.

Critical Impact

Remote attackers with low-privilege access can manipulate the HTTP Host header to bypass dashboard authorization controls in 9router instances running version 0.4.0 or earlier.

Affected Products

  • decolua 9router versions up to and including 0.4.0
  • Component: HTTP Header Handler (src/dashboardGuard.js)
  • Function: isAuthenticated

Discovery Timeline

  • 2026-06-01 - CVE-2026-10269 published to NVD
  • 2026-06-01 - Last updated in NVD database
  • Patch commit - 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca published in release v0.4.1

Technical Details for CVE-2026-10269

Vulnerability Analysis

The vulnerability stems from authorization logic in dashboardGuard.js that trusts the inbound HTTP Host header when determining whether a request is authenticated. Because the Host header is fully controlled by the client, an attacker can craft a request that satisfies the isAuthenticated check without presenting valid credentials. The flaw is classified under [CWE-266] (Incorrect Privilege Assignment) and affects requests reaching the 9router dashboard guard.

Exploitation requires network access to the application and a low-privilege context. Successful exploitation yields limited impact on confidentiality, integrity, and availability of the dashboard interface, but it undermines the authorization boundary protecting administrative routes.

Root Cause

The original isAuthenticated implementation derived trust signals from request properties like the Host header without binding authorization to a cryptographically verified credential. The patched code introduces a CLI token header (x-9r-cli-token) and validates it against a machine-derived value produced by getConsistentMachineId(CLI_TOKEN_SALT). This shifts authorization from header inspection to a verifiable secret.

Attack Vector

An attacker sends an HTTP request to a 9router instance and sets the Host header to a value that the vulnerable logic treats as trusted. The request reaches protected dashboard routes without satisfying the JWT-based authentication path. No user interaction is required.

javascript
 import { NextResponse } from "next/server";
 import { jwtVerify } from "jose";
 import { getSettings } from "@/lib/localDb";
+import { getConsistentMachineId } from "@/shared/utils/machineId";
 
 const SECRET = new TextEncoder().encode(
   process.env.JWT_SECRET || "9router-default-secret-change-me"
 );
 
+const CLI_TOKEN_HEADER = "x-9r-cli-token";
+const CLI_TOKEN_SALT = "9r-cli-auth";
+
+let cachedCliToken = null;
+async function getCliToken() {
+  if (!cachedCliToken) cachedCliToken = await getConsistentMachineId(CLI_TOKEN_SALT);
+  return cachedCliToken;
+}
+
+async function hasValidCliToken(request) {
+  const token = request.headers.get(CLI_TOKEN_HEADER);
+  if (!token) return false;
+  return token === await getCliToken();
+}
+
 // Always require JWT token regardless of requireLogin setting
 const ALWAYS_PROTECTED = [
   "/api/shutdown",

Source: GitHub Commit 428e2c0. The patch adds explicit CLI token validation so that authorization no longer depends on attacker-controllable headers like Host.

Detection Methods for CVE-2026-10269

Indicators of Compromise

  • HTTP requests to 9router dashboard endpoints containing unusual or spoofed Host header values that do not match the deployed hostname.
  • Successful access to protected dashboard routes without a corresponding valid JWT cookie or Authorization header.
  • Requests targeting ALWAYS_PROTECTED routes such as /api/shutdown without the x-9r-cli-token header on patched systems.

Detection Strategies

  • Inspect reverse proxy and web server logs for Host header values that diverge from the canonical deployment hostname.
  • Correlate dashboard access events with authentication events to identify access without prior login.
  • Hunt for repeated requests to administrative endpoints from a single source attempting different Host values.

Monitoring Recommendations

  • Enable verbose request logging on the 9router service and forward logs to a central analytics platform.
  • Alert on access to administrative routes by clients lacking a valid session cookie or CLI token.
  • Track the installed 9router version across hosts and flag any instance below 0.4.1.

How to Mitigate CVE-2026-10269

Immediate Actions Required

  • Upgrade all 9router deployments to version 0.4.1 or later, which contains the fix from commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca.
  • Audit dashboard access logs for unauthorized administrative actions performed before the upgrade.
  • Rotate the JWT_SECRET environment variable, especially if the default value 9router-default-secret-change-me is still in use.

Patch Information

The maintainers released the fix in 9router v0.4.1. The patch introduces a x-9r-cli-token header validated against a machine-derived token through getConsistentMachineId(CLI_TOKEN_SALT). Review the commit details and the corresponding issue 742 for context.

Workarounds

  • Place 9router behind a reverse proxy that enforces a strict allowlist for the Host header and rejects mismatched values.
  • Restrict network exposure of the dashboard to trusted management networks or VPN clients until the upgrade is applied.
  • Require an upstream authentication layer such as mTLS or a reverse-proxy SSO gate for all dashboard routes.
bash
# Example nginx Host header allowlist in front of 9router
server {
    listen 443 ssl;
    server_name router.example.com;

    if ($host != "router.example.com") {
        return 421;
    }

    location / {
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:3000;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.