CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

May 19, 2026

9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required.

The vulnerability exists because the Next.js middleware that enforces authentication (src/proxy.js) only guards 8 explicitly listed routes. The attack surface of /api/cli-tools/* and /api/mcp/* (40+ routes) receives no authentication whatsoever.

References

github.com/advisories/GHSA-fhh6-4qxv-rpqj
github.com/decolua/9router/security/advisories/GHSA-fhh6-4qxv-rpqj
nvd.nist.gov/vuln/detail/CVE-2026-46339

Code Behaviors & Features

Detect and mitigate CVE-2026-46339 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →