Vulnerability  ·  2026-07-17

9Router — Hardcoded Fallback JWT Secret Enables Auth Token Forgery

VulnerabilityHigh impactGlobalCVE-2026-49352
9Router shipped with a static, publicly known fallback JWT signing secret used whenever an operator failed to set a custom one, allowing trivial forgery of authenticated session cookies.
Combined with 9Router's role as an AI/LLM traffic router, forged admin tokens grant full control over routed API keys, plugin configuration, and MCP bridge — a critical authentication bypass in widely-deployed AI gateway infrastructure.
9Router used a hardcoded fallback JWT secret ('9router-default-secret-change-me') across login, middleware, and dashboard session code, letting an attacker forge a valid auth_token cookie whenever the operator did not override the JWT secret, granting full authenticated access to the router's dashboard and APIs.
9Router 0.2.21 – 0.4.44
Upgrade past 0.4.44 and ensure a unique JWT secret is explicitly configured; rotate any tokens issued while the default secret was active.
NVD CVE-2026-49352
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →