CVE-2026-49353: 9router Local-Only Access Gate Bypass via

Q: What is CVE-2026-49353?

CVE-2026-49353 is an access-control bypass (CWE-290, authentication bypass by spoofing) in 9router. 9router enforces a local-only access gate on certain endpoints by inspecting the HTTP Host header. Because the Host header is fully attacker-controlled, a remote client can spoof a local value and pass the gate, reaching endpoints intended to be reachable only from localhost. Tracked as GHSA-6g2f-w7g3-77vf.

Q: Am I affected by CVE-2026-49353?

You are affected if you run 9router with endpoints protected by its local-only access gate and the instance is reachable from an untrusted network. Consult the linked GHSA advisory (GHSA-6g2f-w7g3-77vf) for the exact affected and fixed version range.

Q: How do I fix CVE-2026-49353?

Upgrade to the fixed release identified in GHSA-6g2f-w7g3-77vf. The correct enforcement does not trust the Host header: a local-only gate must be based on the real connecting peer address (socket source IP) or a Unix domain socket, not on a client-supplied header. As interim hardening, bind local-only services to 127.0.0.1, place them behind a proxy that sets a trusted Host, or block external access at the network layer.

Q: What is the impact of CVE-2026-49353?

Remote access to functionality that was meant to be restricted to the local host. Depending on what 9router exposes behind the gate, this can include administrative or privileged routes that assume a trusted local caller. The vulnerability class is an origin/authentication bypass by spoofing.

Summary

CVE-2026-49353 is an access-control bypass (CWE-290, authentication bypass by spoofing) in 9router. The router enforces a "local-only" access gate on certain endpoints by inspecting the HTTP Host header to decide whether a request originates locally. Because the Host header is supplied entirely by the client, a remote attacker can set it to a local-looking value and walk straight through the gate.

Technical Detail

A local-only gate is meant to answer one question: is this request coming from the machine itself? The only trustworthy signal for that is the transport layer — the real source address of the connection (or a Unix domain socket). 9router instead answered the question with the Host header, an application-layer field that any client can set to anything:

A request from an external host carrying Host: localhost (or 127.0.0.1) is judged "local" and admitted.
No correlation is made against the actual TCP peer address, so the spoof is never detected.

This is the same structural mistake as trusting X-Forwarded-For for authorization: a value the attacker controls is used as a security boundary.

Impact

Remote reach into endpoints that were intended to be available only from the local host. Whatever 9router places behind the local-only gate — typically administrative or otherwise privileged routes that assume a trusted caller — becomes accessible to anyone who can reach the service over the network and send a forged Host header.

Resolution

Upgrade to the fixed release named in the advisory. The durable fix is to stop trusting client-supplied headers for locality:

Gate on the real connecting peer address (socket source IP), or bind local-only functionality to a Unix domain socket.
If a header must be consulted, derive it from a trusted reverse proxy that overwrites Host and strips inbound copies.
Defense in depth: bind local-only listeners to 127.0.0.1 and block external access at the firewall.

References

Vendor Advisory (GHSA)↗ MITRE↗ NVD↗

Disclosure

Reported by Kai Aizen (SnailSploit). Coordinated with the 9router maintainers via GitHub Security Advisory GHSA-6g2f-w7g3-77vf. See the advisory for affected and fixed version details.

Frequently asked

CVE-2026-49353 — questions & answers

What is CVE-2026-49353?

An access-control bypass (CWE-290) in 9router. The local-only access gate is enforced by reading the client-supplied HTTP Host header, so a remote attacker who sends Host: localhost passes the gate and reaches endpoints meant to be local-only. Tracked as GHSA-6g2f-w7g3-77vf.

Am I affected by CVE-2026-49353?

You are affected if you run 9router with endpoints behind its local-only gate and the service is reachable from an untrusted network. See GHSA-6g2f-w7g3-77vf for the affected and fixed version range.

How do I fix CVE-2026-49353?

Upgrade to the fixed release in the advisory. Enforce locality on the real connecting peer address or a Unix domain socket — never on the Host header. As interim hardening, bind local-only listeners to 127.0.0.1 and block external access at the firewall.

What is the impact of CVE-2026-49353?

Remote access to functionality intended to be reachable only from the local host — typically administrative or privileged routes that assume a trusted local caller. The class is an origin/authentication bypass by spoofing.

Where can I find authoritative references?

The GitHub Security Advisory GHSA-6g2f-w7g3-77vf, the MITRE CVE record for CVE-2026-49353, and the NVD detail page once published.