CVE-2026-55501
Received Received - Intake

Authentication Bypass via X-Forwarded-For in 9Router

Vulnerability report for CVE-2026-55501, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
decolua 9router to 0.4.80 (exc)
decolua 9router From 0.4.77 (inc)
decolua 9router 0.4.80

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to bypass brute-force protections on the 9router dashboard by spoofing the X-Forwarded-For HTTP header, enabling unlimited login attempts and potentially gaining administrative access.

Such unauthorized access could lead to exposure or modification of sensitive data, including provider credentials, API keys, and dashboard settings.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass authentication and access sensitive information could result in violations of these regulations, which require protection of personal and sensitive data against unauthorized access.

Executive Summary

This vulnerability exists in the 9router dashboard login rate limiter, which relies on the X-Forwarded-For HTTP header to identify clients. Since this header is attacker-controlled and spoofable, a remote attacker can manipulate it by rotating its value on each login attempt. This allows the attacker to bypass the rate limiting mechanism that normally restricts the number of login attempts and enforces progressive lockouts after failures.

Because the rate limiter uses this spoofable header to track failed login attempts, the attacker can effectively reset the failure count with each attempt, enabling unlimited brute-force attacks against the dashboard password.

The vulnerability affects versions of 9router prior to 0.4.80 and is fixed by using a trusted source for client IP identification instead of the X-Forwarded-For header.

Impact Analysis

This vulnerability can allow an attacker to perform unlimited brute-force login attempts on the 9router dashboard by bypassing the rate limiting protections.

If the attacker successfully guesses the dashboard password, especially if it is weak or the default password, they can gain administrative access.

  • Access to provider credentials
  • Access to API keys
  • Modification of dashboard settings
  • Ability to disable login protection
  • Ability to modify configurations

Overall, this can lead to a complete compromise of the 9router system, exposing sensitive data and control to unauthorized users.

Detection Guidance

This vulnerability can be detected by monitoring login attempts to the 9router dashboard for unusual patterns of the X-Forwarded-For HTTP header values. Specifically, if you observe a high number of login attempts where the X-Forwarded-For header changes frequently or appears spoofed, it may indicate exploitation attempts bypassing the rate limiter.

To detect such activity, you can analyze web server logs or network traffic for repeated login requests with varying X-Forwarded-For values.

Example commands to help detect this might include:

  • Using grep to find login attempts and extract X-Forwarded-For headers from logs: grep 'login' /var/log/nginx/access.log | awk -F 'X-Forwarded-For: ' '{print $2}' | cut -d ' ' -f1 | sort | uniq -c | sort -nr
  • Using tcpdump to capture HTTP traffic and filter for X-Forwarded-For headers: tcpdump -i eth0 -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Forwarded-For'

These commands help identify if multiple distinct X-Forwarded-For values are being used in rapid succession, which is a key indicator of this vulnerability being exploited.

Mitigation Strategies

The immediate mitigation step is to upgrade 9router to version 0.4.80 or later, where this vulnerability is fixed by ignoring the attacker-controlled X-Forwarded-For header for rate limiting and instead using a trusted, unspoofable client IP source.

Additional mitigation measures include:

  • Configure the TRUST_PROXY setting to ensure the system uses a trusted header (x-9r-real-ip) for client IP identification.
  • Strip or ignore client-supplied forwarding headers like X-Forwarded-For to prevent IP spoofing.
  • Enforce password changes on first remote login if the default password is still in use to reduce risk from brute-force attacks.
  • Use the new /api/auth/reset-password endpoint for secure password resets instead of modifying local database files.

These steps collectively improve authentication security and prevent attackers from bypassing rate limits using spoofed IP addresses.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart