CVE-2026-10269
Deferred Deferred - Pending Action
Improper Authorization in Decolua 9router

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10269
EUVD
EUVD-2026-33685
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
decolua 9router to 0.4.1 (exc)
decolua 9router to 0.4.0 (inc)
decolua 9router 0.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in decolua 9router allows unauthorized users to bypass authentication and gain access to sensitive internal API endpoints such as /api/keys and /api/settings. This unauthorized access poses significant risks to data confidentiality and integrity.

Such risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health data to protect privacy and ensure data security.

Failure to address this vulnerability could lead to unauthorized disclosure or modification of protected data, potentially resulting in regulatory non-compliance and associated penalties.

Upgrading to version 0.4.1, which includes improved origin validation and stricter authentication mechanisms, is recommended to mitigate these risks and help maintain compliance.

Executive Summary

This vulnerability exists in the decolua 9router software up to version 0.4.0, specifically in the isAuthenticated function within the src/dashboardGuard.js file. The issue arises from improper authorization caused by manipulation of the HTTP Host header argument. An attacker can exploit this remotely to bypass authentication checks, potentially gaining unauthorized access to protected resources.

The vulnerability allows unauthorized users to bypass authentication and access sensitive internal API endpoints such as /api/keys and /api/settings. The root cause is an authorization logic error related to how the HTTP headers are handled in the dashboard guard component.

The issue has been fixed in version 0.4.1 by improving origin validation and enforcing stricter authentication mechanisms, including token validation enhancements.

Impact Analysis

If exploited, this vulnerability can allow unauthorized users to bypass authentication and gain access to sensitive internal API endpoints. This can lead to exposure of confidential data, unauthorized changes to settings, and potential compromise of the system's integrity.

  • Unauthorized access to sensitive API endpoints such as /api/keys and /api/settings.
  • Potential exposure of confidential information.
  • Ability for attackers to manipulate system settings or configurations.
  • Overall reduction in system security and increased risk of further exploitation.
Detection Guidance

This vulnerability involves improper authorization due to manipulation of the Host argument in HTTP headers, allowing unauthorized access to sensitive internal API endpoints such as /api/keys and /api/settings.

To detect this vulnerability on your network or system, you can monitor HTTP requests targeting these sensitive endpoints and check for unauthorized access attempts.

Since the vulnerability is related to HTTP header manipulation, you can use network traffic inspection tools or web server logs to identify suspicious requests with manipulated Host headers.

Suggested commands include using curl or similar tools to test access control enforcement, for example:

  • curl -H "Host: malicious.example.com" http://your-9router-instance/api/keys
  • curl -H "Host: malicious.example.com" http://your-9router-instance/api/settings

Additionally, reviewing logs for requests to these endpoints without valid authentication tokens or CLI tokens can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the affected 9router software to version 0.4.1, which addresses this vulnerability by improving authorization logic and enforcing stricter token validation.

Ensure that the Next.js middleware file is correctly named (e.g., middleware.js or middleware.ts) to enforce security measures during runtime.

Implement improved origin validation to prevent manipulation of client-provided HTTP headers, especially the Host header.

Review and apply the patch identified by commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca if upgrading immediately is not possible.

Monitor access to sensitive API endpoints and restrict access to trusted clients only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart