Executive Summary
A critical severity vulnerability (CVSS 10.0) has been disclosed in 9Router, an AI-powered token-saving API router. The flaw, tracked as CVE-2026-46339, exists in the src/proxy.js middleware from version 0.4.30 through 0.4.36. The middleware failed to protect two critical API route families — /api/cli-tools/* and /api/mcp/* — leaving them fully open to unauthenticated requests.
Exploitation allows an attacker to register custom plugins via cowork-settings and subsequently execute arbitrary commands through the MCP (Model Context Protocol) bridge, resulting in complete remote code execution with no credentials required.
Technical Details
Vulnerability Root Cause
The src/proxy.js middleware in 9Router is responsible for enforcing authentication before requests are forwarded to backend services. In the affected versions, the middleware allowlist was incomplete: routes under /api/cli-tools/* and /api/mcp/* were not included in the authentication check, effectively bypassing all access controls for those paths.
Two specific endpoints were directly exploitable:
/api/cli-tools/cowork-settings/route.js— allowed unauthenticated registration ofcustomPlugins, letting an attacker define arbitrary tool configurations.- MCP bridge endpoint — once a malicious plugin was registered, the MCP bridge would execute commands on behalf of the registered tool context without additional validation.
Attack Chain
- Discovery — Attacker identifies a 9Router instance (commonly exposed via web interface on port 3000 or via Vercel/cloud deployments).
- Plugin Registration — POST request to
/api/cli-tools/cowork-settingswith a crafted payload registers a malicious custom plugin definition with no authentication required. - Command Execution — The attacker sends a crafted request to the MCP bridge endpoint referencing the newly registered plugin, triggering server-side command execution in the context of the 9Router process.
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 10.0 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Versions
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| 9Router | 0.4.30 – 0.4.36 | 0.4.37+ |
Remediation
Upgrade immediately to 9Router v0.4.37 or later, which adds proper authentication guards to all /api/cli-tools/* and /api/mcp/* route handlers in src/proxy.js.
Workarounds (if immediate upgrade is not possible)
- Network-level restriction — Block external access to
/api/cli-tools/and/api/mcp/paths at the reverse proxy or WAF layer. - IP allowlist — Restrict access to 9Router's management interface to trusted IP ranges only.
- Disable MCP bridge — If MCP integration is not in use, disable or remove the bridge configuration to reduce attack surface.
Indicators of Compromise
Monitor for unexpected:
- POST requests to
/api/cli-tools/cowork-settingsfrom untrusted sources - New or unfamiliar plugin definitions appearing in 9Router configuration
- Unusual outbound network connections from the 9Router host process
- Anomalous command execution in application logs