CVE-2026-56676
Received Received - Intake

Server-Side Request Forgery in 9Router AI Router

Vulnerability report for CVE-2026-56676, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
decolua 9router 0.5.2
decolua 9router to 0.5.2 (exc)
9router 9router to 0.5.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56676 is a Server-Side Request Forgery (SSRF) vulnerability in the 9router software prior to version 0.5.2. The issue arises because 9router validates image URLs by resolving the host before fetching the image, but the actual server-side fetch performs a separate DNS resolution. An attacker who is authenticated and has access to the LLM proxy can exploit this by using a vision-capable model and an attacker-controlled DNS name that initially resolves to a public IP address but then rebinds to an internal IP address during the fetch. This allows the attacker to make the server send requests to internal-only HTTP services that are normally inaccessible from outside.

The root cause is a DNS time-of-check to time-of-use (TOCTOU) race condition where the IP address is not pinned between the initial validation and the actual fetch, enabling DNS rebinding attacks.

Compliance Impact

CVE-2026-56676 is a high-severity Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to access internal-only HTTP services by exploiting DNS rebinding. This can lead to unauthorized access to sensitive internal resources that are not exposed externally.

Such unauthorized internal access could potentially lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA if personal or protected health information is involved.

Organizations using vulnerable versions of 9router may face increased risk of data breaches or unauthorized data access, which are critical compliance concerns under these standards.

Mitigating this vulnerability by upgrading to version 0.5.2 or applying the recommended fixes helps reduce the risk of non-compliance due to unauthorized internal access.

Impact Analysis

This vulnerability can allow an attacker to bypass network restrictions and access internal-only HTTP services that are not exposed to the public network. By exploiting the DNS rebinding attack, the attacker can make the server-side component of 9router send requests to internal services such as cloud metadata endpoints or admin panels.

Such unauthorized access can lead to information disclosure, unauthorized control, or manipulation of internal services, potentially compromising the security and integrity of the affected system.

The CVSS score of 7.4 indicates a high severity with low attack complexity and no need for user interaction, meaning the vulnerability is relatively easy to exploit by an authenticated attacker.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual server-side requests to internal-only HTTP services triggered via the /v1/chat/completions endpoint when using vision-capable models with image URLs.

Since the vulnerability exploits DNS rebinding, one way to detect it is to look for DNS resolutions that change IP addresses between validation and fetch phases, especially from public IPs to internal/private IPs.

Network monitoring tools can be used to detect unexpected outbound requests to internal IP ranges from the 9router service.

Suggested commands include using network packet capture tools like tcpdump or Wireshark to monitor traffic from the 9router server to internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16). For example:

  • tcpdump -i <interface> host <9router-server-ip> and dst net 10.0.0.0/8
  • tcpdump -i <interface> host <9router-server-ip> and dst net 192.168.0.0/16

Additionally, inspecting application logs for requests to the /v1/chat/completions endpoint with image URLs and checking for DNS resolution inconsistencies or errors may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading 9router to version 0.5.2 or later, where the vulnerability is fixed.

The fix involves pinning resolved IP addresses after DNS validation to prevent DNS rebinding, blocking private/internal IP ranges at connect time, performing DNS resolution immediately before the request, and enforcing allowlists for image-fetch domains.

If upgrading is not immediately possible, consider restricting network access from the 9router service to internal-only IP ranges to prevent SSRF exploitation.

Also, monitor and audit usage of the /v1/chat/completions endpoint, especially when vision-capable models and image URLs are involved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart