{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5842", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T17:43:46.180Z", "datePublished": "2026-04-09T04:30:17.225Z", "dateUpdated": "2026-04-09T04:30:17.225Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T04:30:17.225Z"}, "title": "decolua 9router Administrative API Endpoint api authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "Authorization Bypass"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}], "affected": [{"vendor": "decolua", "product": "9router", "versions": [{"version": "0.3.0", "status": "affected"}, {"version": "0.3.1", "status": "affected"}, {"version": "0.3.2", "status": "affected"}, {"version": "0.3.3", "status": "affected"}, {"version": "0.3.4", "status": "affected"}, {"version": "0.3.5", "status": "affected"}, {"version": "0.3.6", "status": "affected"}, {"version": "0.3.7", "status": "affected"}, {"version": "0.3.8", "status": "affected"}, {"version": "0.3.9", "status": "affected"}, {"version": "0.3.10", "status": "affected"}, {"version": "0.3.11", "status": "affected"}, {"version": "0.3.12", "status": "affected"}, {"version": "0.3.13", "status": "affected"}, {"version": "0.3.14", "status": "affected"}, {"version": "0.3.15", "status": "affected"}, {"version": "0.3.16", "status": "affected"}, {"version": "0.3.17", "status": "affected"}, {"version": "0.3.18", "status": "affected"}, {"version": "0.3.19", "status": "affected"}, {"version": "0.3.20", "status": "affected"}, {"version": "0.3.21", "status": "affected"}, {"version": "0.3.22", "status": "affected"}, {"version": "0.3.23", "status": "affected"}, {"version": "0.3.24", "status": "affected"}, {"version": "0.3.25", "status": "affected"}, {"version": "0.3.26", "status": "affected"}, {"version": "0.3.27", "status": "affected"}, {"version": "0.3.28", "status": "affected"}, {"version": "0.3.29", "status": "affected"}, {"version": "0.3.30", "status": "affected"}, {"version": "0.3.31", "status": "affected"}, {"version": "0.3.32", "status": "affected"}, {"version": "0.3.33", "status": "affected"}, {"version": "0.3.34", "status": "affected"}, {"version": "0.3.35", "status": "affected"}, {"version": "0.3.36", "status": "affected"}, {"version": "0.3.37", "status": "affected"}, {"version": "0.3.38", "status": "affected"}, {"version": "0.3.39", "status": "affected"}, {"version": "0.3.40", "status": "affected"}, {"version": "0.3.41", "status": "affected"}, {"version": "0.3.42", "status": "affected"}, {"version": "0.3.43", "status": "affected"}, {"version": "0.3.44", "status": "affected"}, {"version": "0.3.45", "status": "affected"}, {"version": "0.3.46", "status": "affected"}, {"version": "0.3.47", "status": "affected"}, {"version": "0.3.75", "status": "unaffected"}], "modules": ["Administrative API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T19:48:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "cyberthoth (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/356298", "name": "VDB-356298 | decolua 9router Administrative API Endpoint api authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356298/cti", "name": "VDB-356298 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/790003", "name": "Submit #790003 | 9Router Router 0.3.47-0.3.32 Authorization Bypass", "tags": ["third-party-advisory"]}, {"url": "https://github.com/decolua/9router/issues/431", "tags": ["issue-tracking"]}, {"url": "https://github.com/decolua/9router/issues/431#issuecomment-4140163867", "tags": ["issue-tracking"]}, {"url": "https://github.com/deepcat1337/Free_Api_Exploit/tree/main", "tags": ["exploit"]}, {"url": "https://github.com/decolua/9router/releases/tag/v0.3.75", "tags": ["patch"]}, {"url": "https://github.com/decolua/9router/", "tags": ["product"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component."}], "id": "CVE-2026-5842", "lastModified": "2026-04-09T05:16:06.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-09T05:16:06.380", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/decolua/9router/"}, {"source": "cna@vuldb.com", "url": "https://github.com/decolua/9router/issues/431"}, {"source": "cna@vuldb.com", "url": "https://github.com/decolua/9router/issues/431#issuecomment-4140163867"}, {"source": "cna@vuldb.com", "url": "https://github.com/decolua/9router/releases/tag/v0.3.75"}, {"source": "cna@vuldb.com", "url": "https://github.com/deepcat1337/Free_Api_Exploit/tree/main"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/790003"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356298"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356298/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.3.0,0.3.47]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.3.75"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "9router", "source": "cna", "vendor": "decolua"}, "product": "9router", "vendor": "decolua"}], "analysis": {"en": {"generated_at": "2026-04-09T06:50:49.235781+00:00", "value": {"mitigation_remediation": ["Upgrade decolua 9router firmware to version 0.3.75 or later.", "Verify the firmware version on each device to confirm the upgrade succeeded.", "If an upgrade cannot be performed immediately, restrict external access to the administrative API endpoint using firewall rules or network segmentation."], "summary": {"action": "Upgrade", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerable entries affect decolua 9router router firmware, specifically the Administrative API Endpoint component. Any appliance running firmware version 0.3.47 or earlier is susceptible. Firmware upgrade to version 0.3.75 or later removes the flaw, making the device secure against this bypass.", "description_and_impact": "An unauthorized API call in decolua 9router up to version 0.3.47 permits a malicious actor to bypass authentication controls and obtain administrative privileges without supplying valid credentials. The flaw originates from an improper authorization check in a component of the /api administrative endpoint. The vulnerability can be exploited remotely by sending specially crafted HTTP requests, potentially enabling attackers to modify router configuration, access confidential data, or disrupt network services.", "risk_and_exploitability": "The CVSS base score of 6.9 reflects moderate severity, yet the scenario is realistic and convenient for attackers. No EPSS data is available, and the issue is not in CISA KEV, but publicly available exploit code confirms that remote exploitation can be achieved quickly. Because the attack can be performed from outside the local network by targeting the exposed API endpoint, the risk to organizations remains high until the firmware is updated or the endpoint is isolated with network controls."}}}}, "created": "2026-04-09T08:15:31.749834+00:00", "updated": "2026-04-09T08:24:58.595173+00:00", "vendors": ["decolua", "decolua$PRODUCT$9router"]}