CVE-2026-46339 is a critical-severity OS command injection vulnerability in 9router (npm), affecting versions >= 0.4.30, < 0.4.37. It is fixed in 0.4.37.
Summary 9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process, with zero prerequisites and no credentials required. The vulnerability exists because the Next.js middleware that enforces authentication (src/proxy.js) only guards 8 explicitly listed routes. The attack surface of /api/cli-tools/ and /api/mcp/ (40+ routes) receives no authentication whatsoever. Root Cause Middleware Allowlist Is Too Narrow File: src/proxy.js Next.js middleware only runs on routes matching this list. Routes NOT listed, including /api/cli-tools/ and /api/mcp/, bypass the dashboardGuard auth check entirely. Unguarded Endpoint Accepts Arbitrary Command Registration File: src/app/api/cli-tools/cowork-settings/route.js, lines 292–319 The command and args fields from the attacker's JSON are stored verbatim into globalThis._9routerCustomPlugins, a process-global Map that survives Hot Module Replacement. File: src/lib/mcp/stdioSseBridge.js, lines 114–116 Unguarded SSE Endpoint Triggers spawn() with Stored Command File: src/app/api/mcp/[plugin]/sse/route.js, lines 6–25 File: src/lib/mcp/stdioSseBridge.js, line 138 spawn() is called with shell: false (default), but since the attacker controls both plugin.command (the binary path) and plugin.args, this is equivalent to arbitrary command execution. Attack Chain Time to exploit from first request: < 2 seconds. Prerequisites: Network access to port 20128 (Docker default: 0.0.0.0:20128). Proof of Concept PoC 1, File Write (no listener required) Observed output (on local test instance): PoC 2, Automated PoC script The script (poc.py) is included in this advisory. Impact | Category | Detail | |---|---| | Confidentiality | Full read access to server filesystem, API keys, TLS private keys, ~/.claude/settings.json (Anthropic tokens), AWS credentials | | Integrity | Arbitrary file write, persistence via cron/systemd | | Availability | Process termination, resource exhaustion | | Lateral movement | docker group membership (confirmed in test) allows full container escape → host root | | Scope | Remote, unauthenticated, network-accessible | High-value exfiltration targets on a typical 9router host ~/.claude/settings.json, ANTHROPICAUTHTOKEN ~/.aws/credentials, ~/.aws/sso/cache/*.json, AWS keys $DATADIR/db.sqlite, 9router local database (all stored API keys, provider configs) TLS private keys managed by the MITM proxy (src/mitm/) Affected Versions | Version | Affected | Notes | |---|---|---| | < v0.4.30 | No | cowork-settings and MCP SSE bridge did not exist | | v0.4.30 | Yes | Introduced in commit 8f4d29c (2026-05-11) | | v0.4.31 | Yes | | | v0.4.32 | Yes | | | v0.4.33 | Yes | Latest at time of disclosure | The vulnerability was introduced when the MCP stdio→SSE bridge feature was added in v0.4.30. The middleware matcher was not updated to protect the new routes. Remediation Fix 1, Extend middleware matcher (minimal fix) File: src/proxy.js Fix 2, Validate command in registerCustomPlugin (defense-in-depth) File: src/lib/mcp/stdioSseBridge.js Fix 3, Sanitize customPlugins at the API boundary File: src/app/api/cli-tools/cowork-settings/route.js, line 312 All three fixes should be applied together. Fix 1 alone is sufficient to prevent exploitation from unauthenticated attackers, but Fixes 2 and 3 provide defense-in-depth against authenticated users abusing the feature.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-46339 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.4.37). Upgrading removes the vulnerable code path.
npm
9router (>= 0.4.30, < 0.4.37)9router → 0.4.37 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-46339 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-46339 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46339 in your environment →Upgrade 9router to 0.4.37 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46339 is a critical-severity OS command injection vulnerability in 9router (npm), affecting versions >= 0.4.30, < 0.4.37. It is fixed in 0.4.37. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
CVE-2026-46339 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
9router (npm) versions >= 0.4.30, < 0.4.37 is affected.
Yes. CVE-2026-46339 is fixed in 0.4.37. Upgrade to this version or later.
Whether CVE-2026-46339 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade 9router to 0.4.37 or later.