Executive Summary

CVE-2026-9495 is an Access Control Bypass vulnerability in the @koa/router npm package versions 14.0.0 up to but not including 15.0.0.

The vulnerability occurs because middleware applied via the `.use()` method is silently dropped from the execution chain when the router prefix contains path parameters (e.g., /:id). This means that middleware intended to run on certain routes does not execute if those routes have dynamic path segments.

As a result, protections provided by the middleware—such as authentication, authorization, rate limiting, or input sanitization—can be bypassed by an attacker.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts depending on what the skipped middleware was designed to protect.

• Attackers could bypass authentication and authorization mechanisms, gaining unauthorized access to protected resources.
• Rate limiting protections could be evaded, potentially allowing denial-of-service attacks or abuse of resources.
• Input sanitization middleware could be bypassed, increasing the risk of injection attacks or other input-based vulnerabilities.

Overall, the vulnerability can lead to unintended behavior and security risks in applications using affected versions of @koa/router.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when middleware applied via `.use()` in @koa/router versions 14.0.0 to before 15.0.0 is silently dropped if the router prefix contains path parameters (e.g., `/:id`). To detect this issue, you can test whether middleware is being executed on routes with parameterized prefixes.

One approach is to add logging or state changes in your middleware and verify if they occur for routes with path parameters. For example, you can add middleware that sets a flag or logs a message and then send requests to routes with parameterized prefixes to check if the middleware runs.

There are no specific network commands provided in the resources, but you can use curl or similar HTTP clients to send requests to affected routes and observe the behavior.

• Add middleware that sets a state variable or logs a message.
• Send HTTP requests to routes with path parameters, e.g., `/api/apps/123/settings`.
• Check logs or response behavior to confirm if middleware executed.
• Example curl command: `curl -v http://yourserver/api/apps/123/settings`

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to upgrade the @koa/router package to version 15.0.0 or higher, where the issue has been fixed.

If upgrading immediately is not possible, review your router prefixes and avoid using path parameters in prefixes where middleware execution is critical, or implement additional checks to ensure middleware is applied correctly.

Additionally, audit your middleware to understand what protections might be bypassed and consider adding compensating controls such as additional authentication or input validation at other layers.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to bypass authentication, authorization, rate limiting, or input sanitization depending on the skipped middleware's purpose.

Such bypasses can lead to unauthorized access to sensitive data or systems, which may result in non-compliance with standards and regulations like GDPR or HIPAA that require strict access controls and data protection.

Therefore, if the affected middleware was responsible for enforcing security controls required by these regulations, this vulnerability could cause compliance violations.

Useful 0 Not Useful 0