CVE-2026-56679 Overview
CVE-2026-56679 affects 9Router, an AI router and token saver application. The PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist. An authenticated user can modify security-critical fields such as requireLogin to disable authentication for the entire application. This exposes protected routes including /api/keys and /api/providers to unauthenticated access. The vulnerability is classified under [CWE-915] (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and is fixed in version 0.5.4.
Critical Impact
An authenticated low-privilege user can disable application-wide authentication, exposing API keys and provider configurations to unauthenticated attackers.
Affected Products
- 9Router versions prior to 0.5.4
- Repository: decolua/9router on GitHub
- Fixed release: 9Router 0.5.4
Discovery Timeline
- 2026-07-15 - CVE-2026-56679 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-56679
Vulnerability Analysis
The flaw is a mass assignment vulnerability in the settings management API. The PATCH /api/settings handler accepts arbitrary JSON fields from the request body and persists them directly to the settings store. No allowlist restricts which fields callers may modify. As a result, authenticated users can overwrite fields the developer never intended to expose, including the requireLogin flag that gates authentication middleware.
Because the requireLogin flag governs whether the application enforces authentication, flipping it to false disables session validation on every protected route. The endpoints /api/keys and /api/providers then become reachable without credentials.
Root Cause
The root cause is the absence of a field whitelist on the settings update path. The application trusts the shape of the incoming request body and merges it directly into persistent configuration. Security-sensitive configuration keys share the same storage and update mechanism as user-editable preferences, so no boundary prevents privilege-relevant changes.
Attack Vector
An attacker with any valid authenticated session sends a PATCH request to /api/settings with a JSON payload that includes requireLogin: false. The server persists the change. Subsequent requests to /api/keys, /api/providers, and other protected routes succeed without authentication, allowing extraction of API keys and upstream AI provider configurations. See the GitHub Security Advisory GHSA-vmjq-hvgq-2wv4 for maintainer-published technical details.
Detection Methods for CVE-2026-56679
Indicators of Compromise
- Unexpected PATCH /api/settings requests containing security-relevant field names such as requireLogin, auth, or similar authentication toggles.
- Access log entries to /api/keys or /api/providers without a preceding successful authentication event.
- Configuration state where requireLogin transitions from true to false outside a documented administrative change window.
Detection Strategies
- Instrument the settings update handler to log the full set of changed keys and the actor identity for each PATCH operation.
- Alert on any modification of authentication-related configuration fields, regardless of the requesting user's role.
- Correlate settings changes with subsequent anonymous access to sensitive endpoints to identify exploitation sequences.
Monitoring Recommendations
- Track the persistent value of requireLogin and alert on any change to false.
- Monitor egress from the 9Router host for unusual outbound traffic to third-party AI providers, which may indicate stolen API keys in use.
- Review authentication logs for gaps where protected endpoints returned 200 responses without a corresponding session token.
How to Mitigate CVE-2026-56679
Immediate Actions Required
- Upgrade 9Router to version 0.5.4 or later without delay.
- Rotate all API keys and provider credentials stored in 9Router, assuming they may have been exposed.
- Audit the current settings state and reset requireLogin and other security-critical fields to their intended values.
- Review access logs for anonymous requests to /api/keys and /api/providers since deployment.
Patch Information
The issue is fixed in 9Router version 0.5.4. The maintainer's advisory is available at GHSA-vmjq-hvgq-2wv4. Upgrading is the only supported remediation.
Workarounds
- If immediate upgrade is not possible, place 9Router behind a reverse proxy that enforces authentication independently of the application's internal requireLogin flag.
- Restrict network access to the 9Router administrative interface to trusted operators only, reducing the pool of authenticated users who can trigger the flaw.
- Block PATCH /api/settings requests at the proxy layer until the upgrade is applied.
# Example reverse proxy rule to block the vulnerable endpoint
location = /api/settings {
if ($request_method = PATCH) {
return 403;
}
proxy_pass http://9router_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

