Executive Summary
A critical vulnerability (CVSS 9.8) has been identified in 9Router, an AI token-saving API router, affecting versions 0.2.21 through 0.4.43. Tracked as CVE-2026-49352, the flaw stems from a hardcoded fallback JWT secret — 9router-default-secret-change-me — embedded directly in the application source code.
This secret was used as a fallback when no JWT_SECRET environment variable was configured. Attackers who discover this default value (which is publicly visible in the open-source repository) can forge valid auth_token cookies, bypassing authentication entirely and gaining administrative control over the 9Router instance.
Technical Details
Vulnerability Root Cause
JWT tokens in 9Router are signed and verified using a secret key. The vulnerability arises because the following source files contain a hardcoded literal fallback:
src/app/api/auth/login/route.jssrc/middleware.jssrc/lib/auth/dashboardSession.js(added in later versions)
The affected code pattern follows this logic:
const secret = process.env.JWT_SECRET || '9router-default-secret-change-me';Any deployment that did not explicitly set the JWT_SECRET environment variable — a common configuration oversight — would silently fall back to this well-known string. Because the secret is publicly documented in the open-source repository, an attacker can:
- Sign an arbitrary JWT payload with the known secret.
- Set the forged token as the
auth_tokencookie. - Access all authenticated routes as an administrator.
Impact
The hardcoded secret effectively nullifies the authentication mechanism for any 9Router instance that:
- Was deployed without explicitly configuring
JWT_SECRET - Used default Docker Compose or quick-start configurations that didn't document the variable as required
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Versions
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| 9Router | 0.2.21 – 0.4.43 | 0.4.44+ |
Remediation
Upgrade to 9Router v0.4.44 or later, which removes the hardcoded fallback and requires explicit JWT_SECRET configuration, failing startup if not provided.
Immediate Actions for All Instances
- Rotate JWT secret — Set a strong, unique
JWT_SECRETenvironment variable (minimum 32 random bytes). - Invalidate all existing sessions — After rotating the secret, all existing
auth_tokencookies will be invalidated, forcing re-authentication. - Audit access logs — Review logs for any requests using forged tokens (look for admin actions from unexpected IPs or time periods).
- Upgrade to v0.4.44+ — The patch enforces explicit secret configuration at startup.
Generating a Secure JWT Secret
# Generate a cryptographically secure secret
openssl rand -hex 32Set the output as the JWT_SECRET environment variable in your deployment configuration.
Detection
Check whether your 9Router deployment is vulnerable:
# Check if JWT_SECRET is set in your environment
docker exec <container-name> printenv JWT_SECRET
# If empty or unset, your instance is using the hardcoded fallbackCheck for signs of exploitation by looking for admin-level actions in logs that cannot be correlated to legitimate user sessions.