Vulnerability in Decolua 9router

CVE-2026-56679

9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as…

Vulnerability class: Mass Assignment

Affected products

Weakness classification (CWE)

References