CVE-2026-5842
Received Received - Intake
Authorization Bypass in Decolua 9router Administrative API Endpoint

Publication date: 2026-04-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5842
EUVD
EUVD-2026-20853
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
decolua 9router to 0.3.47 (inc)
decolua 9router 0.3.75
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5842 is a critical security vulnerability in the decolua 9router software up to version 0.3.47. It involves a broken access control issue where authentication enforcement is missing or improperly applied on administrative API endpoints under the /api path. While some routes like /dashboard are protected by middleware, many /api/* endpoints lack proper authentication checks, allowing remote attackers to bypass authorization.

This flaw enables unauthenticated attackers to access sensitive administrative functions such as exporting or modifying the database, managing API keys, retrieving provider credentials, changing settings, triggering server-side request forgery (SSRF), and even shutting down the server remotely.

The root cause is improper middleware configuration that fails to protect critical API routes, resulting in full administrative control by unauthorized users.

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the affected 9router system's confidentiality, integrity, and availability.

  • Attackers can export the entire application database, exposing sensitive data.
  • They can import or overwrite database contents, potentially corrupting or altering data.
  • Attackers can list and generate API keys, gaining further unauthorized access.
  • They can retrieve provider credentials and secrets, compromising integrations.
  • Attackers can modify application settings, changing system behavior.
  • They can trigger server-side request forgery (SSRF), potentially attacking internal systems.
  • Attackers can remotely shut down the server, causing denial of service.

Overall, this leads to full administrative control by unauthorized users, posing a critical risk to system security and availability.

Detection Guidance

This vulnerability can be detected by testing access to the administrative API endpoints under the /api/* path without authentication. Specifically, attempts to access endpoints such as /api/settings/database, /api/keys, /api/providers/client, /api/settings, /api/provider-nodes/validate, and /api/shutdown should be made to verify if unauthorized access is possible.

You can use HTTP request commands like curl to test these endpoints remotely. For example:

  • curl -i http://<target-ip>/api/settings/database
  • curl -i http://<target-ip>/api/keys
  • curl -i http://<target-ip>/api/shutdown

If these requests return sensitive data or allow administrative actions without authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include upgrading the 9router software to version 0.3.75 or later, as this version resolves the vulnerability.

Additionally, enforce authentication and authorization checks on all /api/* endpoints to prevent unauthorized access.

  • Avoid relying solely on middleware route matching for security boundaries.
  • Implement centralized authentication validation for all sensitive operations.
  • Apply the principle of least privilege to restrict access.
  • Sanitize and restrict outbound requests to mitigate SSRF risks.
  • Remove or secure administrative endpoints such as shutdown.
  • Rotate all exposed secrets and API keys.
Compliance Impact

The vulnerability in 9Router allows unauthorized remote attackers to bypass authorization and gain full administrative access to sensitive API endpoints. This can lead to exposure, modification, or deletion of sensitive data, including application database contents, API keys, and provider credentials.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Specifically, the failure to enforce authentication on administrative API endpoints could result in unauthorized disclosure or alteration of personal or protected health information, violating regulatory requirements for data protection and access control.

Mitigating this vulnerability by upgrading to version 0.3.75 and enforcing proper authentication and authorization checks is essential to maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart