CVE-2026-5842
Authorization Bypass in Decolua 9router Administrative API Endpoint
Publication date: 2026-04-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| decolua | 9router | to 0.3.47 (inc) |
| decolua | 9router | 0.3.75 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5842 is a critical security vulnerability in the decolua 9router software up to version 0.3.47. It involves a broken access control issue where authentication enforcement is missing or improperly applied on administrative API endpoints under the /api path. While some routes like /dashboard are protected by middleware, many /api/* endpoints lack proper authentication checks, allowing remote attackers to bypass authorization.
This flaw enables unauthenticated attackers to access sensitive administrative functions such as exporting or modifying the database, managing API keys, retrieving provider credentials, changing settings, triggering server-side request forgery (SSRF), and even shutting down the server remotely.
The root cause is improper middleware configuration that fails to protect critical API routes, resulting in full administrative control by unauthorized users.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of the affected 9router system's confidentiality, integrity, and availability.
- Attackers can export the entire application database, exposing sensitive data.
- They can import or overwrite database contents, potentially corrupting or altering data.
- Attackers can list and generate API keys, gaining further unauthorized access.
- They can retrieve provider credentials and secrets, compromising integrations.
- Attackers can modify application settings, changing system behavior.
- They can trigger server-side request forgery (SSRF), potentially attacking internal systems.
- Attackers can remotely shut down the server, causing denial of service.
Overall, this leads to full administrative control by unauthorized users, posing a critical risk to system security and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing access to the administrative API endpoints under the /api/* path without authentication. Specifically, attempts to access endpoints such as /api/settings/database, /api/keys, /api/providers/client, /api/settings, /api/provider-nodes/validate, and /api/shutdown should be made to verify if unauthorized access is possible.
You can use HTTP request commands like curl to test these endpoints remotely. For example:
- curl -i http://<target-ip>/api/settings/database
- curl -i http://<target-ip>/api/keys
- curl -i http://<target-ip>/api/shutdown
If these requests return sensitive data or allow administrative actions without authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the 9router software to version 0.3.75 or later, as this version resolves the vulnerability.
Additionally, enforce authentication and authorization checks on all /api/* endpoints to prevent unauthorized access.
- Avoid relying solely on middleware route matching for security boundaries.
- Implement centralized authentication validation for all sensitive operations.
- Apply the principle of least privilege to restrict access.
- Sanitize and restrict outbound requests to mitigate SSRF risks.
- Remove or secure administrative endpoints such as shutdown.
- Rotate all exposed secrets and API keys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in 9Router allows unauthorized remote attackers to bypass authorization and gain full administrative access to sensitive API endpoints. This can lead to exposure, modification, or deletion of sensitive data, including application database contents, API keys, and provider credentials.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.
Specifically, the failure to enforce authentication on administrative API endpoints could result in unauthorized disclosure or alteration of personal or protected health information, violating regulatory requirements for data protection and access control.
Mitigating this vulnerability by upgrading to version 0.3.75 and enforcing proper authentication and authorization checks is essential to maintain compliance with these standards.