Vulnerability  ·  2026-07-17

9Router AI Router — Unauthenticated MCP Bridge and CLI-Tools API Enables Arbitrary Command Execution

VulnerabilityHigh impactGlobalCVE-2026-46339
9Router's proxy middleware left the CLI-tools and MCP bridge API surface completely unauthenticated between versions 0.4.30 and 0.4.37, allowing any remote, unauthenticated attacker to register custom plugins and trigger command execution through the MCP bridge.
9Router sits in front of LLM API traffic as a proxy/router; unauthenticated RCE on this component gives an attacker full control of the host running the AI gateway, including access to all proxied LLM API keys and any downstream tool-execution capability exposed via MCP — a maximal-severity (CVSS 10.0) supply-chain-style compromise of AI infrastructure.
src/proxy.js middleware failed to protect /api/cli-tools/* and /api/mcp/* routes, letting an unauthenticated remote attacker register arbitrary customPlugins via the cowork-settings route and execute commands through the MCP bridge without any authentication.
9Router (AI router & token saver) versions 0.4.30–0.4.37
Upgrade to 9Router 0.4.38 or later; audit for unauthorized plugin registrations. See vendor commit at github.com/decolua/9router.
NVD CVE-2026-463399Router GitHub commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →