External risk intelligence

9Router Unauthenticated Command Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-46339

The vulnerability resides in a web application's API endpoints (/api/cli-tools/* and /api/mcp/*) that handle plugin registration and command execution. As a web-based AI router, these API services are commonly deployed to be accessible over the network to fulfill their function, making them a likely target for exposure as internet-facing application components.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in 9Router, an AI router and token saver, affecting versions between 0.4.30 and 0.4.37. This issue allows unauthenticated users to register custom plugins and execute commands, potentially leading to significant compromise of the affected systems. The main concern is confirming relevance and exposure to understand the potential impact.

  • Allows unauthorized code execution.
  • Matters for data protection and system integrity.
  • Confirm if this AI router is in use.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending unauthenticated requests to specific API endpoints on the 9Router. These requests can register custom plugins or directly execute commands through the MCP bridge, potentially leading to significant impact on the system.

  • No authentication required to access.
  • Triggered by API calls to specific endpoints.
  • Command execution and unauthorized plugin registration.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in 9Router's API could allow an unauthenticated attacker to register custom plugins and execute commands, impacting the service's behavior when its network-facing API endpoints are accessible.

  • Unauthenticated command execution is at risk.
  • Malicious plugins could be registered remotely.
  • Service integrity and availability may be affected.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given that 9Router is an AI router and token saver, the platform or application owner responsible for its deployment is likely accountable for addressing this critical vulnerability. The first practical step involves identifying all instances of 9Router, determining their network accessibility and business criticality, and then engaging the appropriate team for remediation planning based on assessed risk.

  • Accountable team: Platform or application owner.
  • Verify: Instance reachability and business criticality.
  • Action: Plan risk-based remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is 9Router?

9Router is a software utility designed as an AI router and token saver. It acts as an intermediary layer in AI-driven workflows to optimize performance and token usage. Developers typically integrate it into their technical stacks to manage how requests are routed and processed across different services, including those utilizing Model Context Protocol (MCP) bridges and custom plugin architectures.

What does CVE-2026-46339 mean for security?

This vulnerability involves improper authentication and command injection, categorized as CWE-306 and CWE-78. It means the software fails to verify who is sending requests to specific API endpoints. Consequently, an unauthorized person can send crafted messages that the system interprets as legitimate commands, leading to the execution of arbitrary code or the registration of malicious plugins.

How is this vulnerability triggered?

The flaw is triggered when an attacker sends requests to unprotected API paths, specifically those under /api/cli-tools/ or /api/mcp/. Accessing these endpoints allows for unauthorized plugin registration or command execution via the MCP bridge. It is important to note that simply having the software installed is not the trigger; the path requires network-accessible, unauthenticated requests to reach the vulnerable middleware.

Is my 9Router instance at risk?

According to Halo Surface Signal, this vulnerability impacts network-accessible application components. Because 9Router functions as a web-based router, its API services are often configured to be reachable over the network to perform their routing duties. If your instance is exposed to the internet or accessible from untrusted network segments, it is at higher risk of being reached by these unauthorized API calls.

Do I need to update 9Router?

Yes, the primary step to resolve this issue is to upgrade. The vulnerability is present in versions 0.4.30 through 0.4.36 and was addressed in version 0.4.37. As an immediate action, verify your current version number. If you are running an affected version, coordinate with your technical team to plan an upgrade to 0.4.37 or later to secure the API middleware.

References