CVE-2026-49234: Routinator crashes when sending a maliciously crafted select-asn query parameter

June 8, 2026 (updated June 12, 2026)

When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.

This only affects users who allow API access from untrusted networks.

References

github.com/NLnetLabs/routinator/releases/tag/v0.15.2
github.com/advisories/GHSA-gc6q-cwcj-3vh9
nvd.nist.gov/vuln/detail/CVE-2026-49234
www.nlnetlabs.nl/downloads/routinator/CVE-2026-49234.txt

Code Behaviors & Features

Detect and mitigate CVE-2026-49234 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →