Vulnerability  ·  2026-07-17

9Router — PATCH /api/settings Missing Field Whitelist Allows Disabling Authentication Application-Wide

VulnerabilityMedium impactGlobalCVE-2026-56679
9Router's settings PATCH endpoint accepted arbitrary fields without a whitelist, letting any authenticated user flip application-wide security settings such as requireLogin.
Combined with 9Router's other authentication weaknesses in this release cluster, this provides an escalation path for a low-privileged account to remove authentication protections entirely on an AI routing/proxy component.
The PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin, disabling authentication for the whole application.
9Router prior to 0.5.4
Upgrade to 9Router 0.5.4 or later. See GHSA-vmjq-hvgq-2wv4.
GitHub Security Advisory GHSA-vmjq-hvgq-2wv4
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →