CVE-2026-10269
Improper Authorization in Decolua 9router
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| decolua | 9router | to 0.4.1 (exc) |
| decolua | 9router | to 0.4.0 (inc) |
| decolua | 9router | 0.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the decolua 9router software up to version 0.4.0, specifically in the isAuthenticated function within the src/dashboardGuard.js file. The issue arises from improper authorization caused by manipulation of the HTTP Host header argument. An attacker can exploit this remotely to bypass authentication checks, potentially gaining unauthorized access to protected resources.
The vulnerability allows unauthorized users to bypass authentication and access sensitive internal API endpoints such as /api/keys and /api/settings. The root cause is an authorization logic error related to how the HTTP headers are handled in the dashboard guard component.
The issue has been fixed in version 0.4.1 by improving origin validation and enforcing stricter authentication mechanisms, including token validation enhancements.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in decolua 9router allows unauthorized users to bypass authentication and gain access to sensitive internal API endpoints such as /api/keys and /api/settings. This unauthorized access poses significant risks to data confidentiality and integrity.
Such risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health data to protect privacy and ensure data security.
Failure to address this vulnerability could lead to unauthorized disclosure or modification of protected data, potentially resulting in regulatory non-compliance and associated penalties.
Upgrading to version 0.4.1, which includes improved origin validation and stricter authentication mechanisms, is recommended to mitigate these risks and help maintain compliance.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow unauthorized users to bypass authentication and gain access to sensitive internal API endpoints. This can lead to exposure of confidential data, unauthorized changes to settings, and potential compromise of the system's integrity.
- Unauthorized access to sensitive API endpoints such as /api/keys and /api/settings.
- Potential exposure of confidential information.
- Ability for attackers to manipulate system settings or configurations.
- Overall reduction in system security and increased risk of further exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper authorization due to manipulation of the Host argument in HTTP headers, allowing unauthorized access to sensitive internal API endpoints such as /api/keys and /api/settings.
To detect this vulnerability on your network or system, you can monitor HTTP requests targeting these sensitive endpoints and check for unauthorized access attempts.
Since the vulnerability is related to HTTP header manipulation, you can use network traffic inspection tools or web server logs to identify suspicious requests with manipulated Host headers.
Suggested commands include using curl or similar tools to test access control enforcement, for example:
- curl -H "Host: malicious.example.com" http://your-9router-instance/api/keys
- curl -H "Host: malicious.example.com" http://your-9router-instance/api/settings
Additionally, reviewing logs for requests to these endpoints without valid authentication tokens or CLI tokens can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the affected 9router software to version 0.4.1, which addresses this vulnerability by improving authorization logic and enforcing stricter token validation.
Ensure that the Next.js middleware file is correctly named (e.g., middleware.js or middleware.ts) to enforce security measures during runtime.
Implement improved origin validation to prevent manipulation of client-provided HTTP headers, especially the Host header.
Review and apply the patch identified by commit 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca if upgrading immediately is not possible.
Monitor access to sensitive API endpoints and restrict access to trusted clients only.