Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

New CVE Detected

CVE-2026-49352 – Authentication Bypass – 9Router versions 0.2.21 to 0.4.44

Be the first to know when new zero-days emerge:

Summary

CVE-2026-49352 is a critical authentication bypass vulnerability (CVSS 9.8) in 9Router, a self-hosted Node.js/Next.js proxy for AI coding tools. The application shipped a publicly known hardcoded fallback JWT secret — 9router-default-secret-change-me — committed directly to its source repository. When the JWT_SECRET environment variable is not explicitly set, any unauthenticated remote attacker can use this secret to forge a valid auth_token cookie and gain full administrative access to the 9Router dashboard and API. A public proof-of-concept exploit has been available since July 6, 2026.

Technical details

  • Root cause: The literal string 9router-default-secret-change-me is hardcoded as a fallback JWT signing secret in three source files — src/app/api/auth/login/route.js, src/middleware.js, and src/lib/auth/dashboardSession.js (CWE-798: Use of Hard-coded Credentials). Because this value is committed to the public repository and is identical across all affected releases, it cannot be treated as a secret.
  • Trigger condition: The fallback activates whenever the JWT_SECRET environment variable is absent or unset at application startup. Deployments that have explicitly configured JWT_SECRET to a unique random value are not affected.
  • Attack vector: A remote, unauthenticated attacker signs a JWT payload with the publicly known secret and submits the resulting token as an auth_token cookie to any network-reachable 9Router instance. No valid credentials, prior access, or user interaction are required.
  • Impact: Successful exploitation grants complete access to the 9Router dashboard and API — including full confidentiality, integrity, and availability impact on the managed AI routing configuration, connected provider credentials, and any data routed through the instance.
  • Public PoC: A Go-based proof-of-concept (published July 6, 2026 at covepseng/cve-2026-49352-poc) automates exploitation in three steps: forging the dashboard session JWT with the hardcoded secret, presenting it as an auth_token cookie to /dashboard, and optionally probing protected API endpoints such as /api/settings/database to confirm unauthorized access.

Affected software

  • 9Router versions 0.2.21 through 0.4.44 (inclusive)

Severity

  • CVSS v3.1 Base Score: 9.8 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Mitigation and recommended actions

  • Immediate — upgrade: Update 9Router to version 0.4.45 or later, which removes the hardcoded fallback secret.
  • If immediate upgrade is not possible — enforce JWT_SECRET: Set the JWT_SECRET environment variable to a cryptographically random value in your deployment configuration (.env, Docker Compose, PM2 ecosystem file, or equivalent). This eliminates the fallback path and prevents exploitation of the hardcoded default, even on unpatched versions.
  • Network mitigation: If 9Router is not required to be internet-facing, restrict access to the dashboard port using firewall rules, network policies, or reverse proxy authentication controls until the upgrade can be applied.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

Subscribe to Threat Center RSS

Copy/paste the link below into your preferred RSS reader or follow these instructions to subscribe to Slack alerts.

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge