External risk intelligence

9Router Hardcoded JWT Secret Allows Authentication Bypass.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49352

The vulnerability exists in an API authentication route for a router/gateway application. Such services are commonly deployed as internet-facing web applications or API endpoints, making them frequently exposed to the public internet in standard deployment patterns.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in 9Router, an AI router and token saver. The issue stems from a hardcoded secret used for authentication, which could allow unauthorized access and manipulation of the system if left unset. This exposure could have significant security implications for organizations utilizing this technology.

  • Hardcoded secret allows unauthorized access.
  • Confirm relevance and exposure for leadership.
  • Understand potential security risks and impacts.

Attack Path

How an attacker could exploit the issue

An attacker can forge a valid authentication token by exploiting a hardcoded secret used for JWT encryption. This is possible when the JWT secret configuration is not properly set, allowing unauthorized access to the application. The vulnerability can lead to a complete compromise of user sessions and potentially other sensitive actions within the application.

  • No authentication is required to initiate.
  • Exploits a predictable JWT secret.
  • Enables full session hijacking.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to forge authentication tokens if the JWT secret is not configured. This could lead to unauthorized access to the router's functionalities and potentially compromise its behavior.

  • User authentication tokens.
  • Forging tokens when secret is unset.
  • Unauthorized access to router functions.

Operational Fix

Recommended remediation, mitigation, and detection steps

The platform or infrastructure team is likely responsible for managing the 9Router AI router. The immediate first step is to identify all instances of 9Router within the environment, confirm their exposure and business criticality, and then engage the accountable owner to plan remediation based on assessed risk.

  • Platform/Infrastructure team owns the issue.
  • Verify 9Router instances and exposure.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is 9Router?

9Router is a specialized software tool designed as an AI router and token saver. Users deploy it to manage traffic and optimize token usage for AI services. It acts as a gateway or intermediary layer that handles session management and authentication for these requests, making it a critical component for developers routing data between their systems and AI models.

What does CWE-798 mean for CVE-2026-49352?

CWE-798 refers to the use of hardcoded credentials. In the context of CVE-2026-49352, this means the software contains a preset, predictable password or secret key meant for authentication. Because this secret is embedded directly in the code, it acts as a universal master key that anyone aware of the software's architecture can use to bypass security checks.

How do attackers trigger this vulnerability?

An attacker exploits this by forging a valid authentication token using the hardcoded secret found in the software. This only occurs when the system administrator has not defined a custom JWT_SECRET; if the secret remains unset, the application falls back to the insecure, hardcoded default. Configuring a unique, custom secret prevents the software from using the vulnerable default key.

Is my 9Router instance at risk?

Halo Surface Signal indicates that 9Router is commonly deployed as an internet-facing service or API endpoint, which increases the likelihood of external accessibility. If your instance is exposed to the public internet, it faces a higher risk of discovery and interaction by unauthorized parties who might attempt to forge session tokens.

What is the first step to fix this?

The most effective way to secure your environment is to update 9Router to version 0.4.44 or later. If you cannot update immediately, ensure that a strong, unique JWT_SECRET is explicitly configured for your deployment to override the vulnerable fallback behavior. Coordinate with your infrastructure team to audit all 9Router instances to verify they are running a patched version.

References