Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1921+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-46339: 9Router Unauthenticated Plugin Registration & MCP Command Execution
CVE-2026-46339: 9Router Unauthenticated Plugin Registration & MCP Command Execution

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-46339

CVE-2026-46339: 9Router Unauthenticated Plugin Registration & MCP Command Execution

A critical CVSS 10 vulnerability in 9Router AI router versions 0.4.30–0.4.36 allows unauthenticated attackers to register custom plugins and execute arbitrary commands via an unprotected MCP bridge endpoint.

Dylan H.

Security Team

July 16, 2026
3 min read

Affected Products

  • 9Router v0.4.30 – v0.4.36

Executive Summary

A critical severity vulnerability (CVSS 10.0) has been disclosed in 9Router, an AI-powered token-saving API router. The flaw, tracked as CVE-2026-46339, exists in the src/proxy.js middleware from version 0.4.30 through 0.4.36. The middleware failed to protect two critical API route families — /api/cli-tools/* and /api/mcp/* — leaving them fully open to unauthenticated requests.

Exploitation allows an attacker to register custom plugins via cowork-settings and subsequently execute arbitrary commands through the MCP (Model Context Protocol) bridge, resulting in complete remote code execution with no credentials required.


Technical Details

Vulnerability Root Cause

The src/proxy.js middleware in 9Router is responsible for enforcing authentication before requests are forwarded to backend services. In the affected versions, the middleware allowlist was incomplete: routes under /api/cli-tools/* and /api/mcp/* were not included in the authentication check, effectively bypassing all access controls for those paths.

Two specific endpoints were directly exploitable:

  • /api/cli-tools/cowork-settings/route.js — allowed unauthenticated registration of customPlugins, letting an attacker define arbitrary tool configurations.
  • MCP bridge endpoint — once a malicious plugin was registered, the MCP bridge would execute commands on behalf of the registered tool context without additional validation.

Attack Chain

  1. Discovery — Attacker identifies a 9Router instance (commonly exposed via web interface on port 3000 or via Vercel/cloud deployments).
  2. Plugin Registration — POST request to /api/cli-tools/cowork-settings with a crafted payload registers a malicious custom plugin definition with no authentication required.
  3. Command Execution — The attacker sends a crafted request to the MCP bridge endpoint referencing the newly registered plugin, triggering server-side command execution in the context of the 9Router process.

CVSS Score Breakdown

MetricValue
Base Score10.0 (Critical)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeChanged
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh

Affected Versions

ProductVulnerable VersionsPatched Version
9Router0.4.30 – 0.4.360.4.37+

Remediation

Upgrade immediately to 9Router v0.4.37 or later, which adds proper authentication guards to all /api/cli-tools/* and /api/mcp/* route handlers in src/proxy.js.

Workarounds (if immediate upgrade is not possible)

  1. Network-level restriction — Block external access to /api/cli-tools/ and /api/mcp/ paths at the reverse proxy or WAF layer.
  2. IP allowlist — Restrict access to 9Router's management interface to trusted IP ranges only.
  3. Disable MCP bridge — If MCP integration is not in use, disable or remove the bridge configuration to reduce attack surface.

Indicators of Compromise

Monitor for unexpected:

  • POST requests to /api/cli-tools/cowork-settings from untrusted sources
  • New or unfamiliar plugin definitions appearing in 9Router configuration
  • Unusual outbound network connections from the 9Router host process
  • Anomalous command execution in application logs

References

  • NVD — CVE-2026-46339
  • 9Router Project Repository
#CVE-2026-46339#9Router#RCE#Unauthenticated#MCP#AI Security#Critical

Related Articles

CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

A CVSS 10.0 critical vulnerability in PraisonAI before 1.6.78 allows attackers to achieve remote code execution by injecting malicious prompts that...

3 min read

CVE-2026-56290: Joomlack Page Builder Unauthenticated File Upload RCE — CISA KEV

A CVSS 10.0 unauthenticated arbitrary file upload vulnerability in the Joomlack Page Builder CK Joomla extension allows any remote attacker to upload a...

6 min read

CVE-2026-26210: KTransformers Unsafe Deserialization RCE

KTransformers through version 0.5.3 contains a critical unsafe deserialization vulnerability in its balance_serve backend mode, where an unauthenticated...

6 min read
Back to all Security Alerts