GHSA-fhh6-4qxv-rpqj: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
criticalvulnerability
security
Summary
9router, a tool for managing AI plugins, has a critical vulnerability where two unprotected API endpoints can be chained together to run arbitrary OS commands. The problem occurs because the authentication middleware (a security check) only protects 8 specific routes, while 40+ routes under `/api/cli-tools/*` and `/api/mcp/*` have no protection, allowing attackers with network access to register malicious commands and then trigger them without any credentials.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 19, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
9router@>= 0.4.30, < 0.4.37 (fixed: 0.4.37)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-fhh6-4qxv-rpqj
First tracked: May 19, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%