{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/9router--0.4.30--0.4.37/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["9router (\u003e= 0.4.30, \u003c 0.4.37)"],"_cs_severities":["critical"],"_cs_tags":["rce","unauthenticated","plugin"],"_cs_type":"advisory","_cs_vendors":["9router"],"content_html":"\u003cp\u003e9router versions 0.4.30 through 0.4.33 are susceptible to an unauthenticated remote code execution vulnerability due to insufficient access control on the \u003ccode\u003e/api/cli-tools/*\u003c/code\u003e and \u003ccode\u003e/api/mcp/*\u003c/code\u003e API endpoints. Introduced in commit \u003ccode\u003e8f4d29c\u003c/code\u003e on 2026-05-11 with the addition of the MCP stdio→SSE bridge feature, this flaw allows a network-adjacent attacker to register a malicious plugin containing arbitrary OS commands. These commands can then be executed by triggering a Server-Sent Events (SSE) endpoint, resulting in the execution of commands as the user running the 9router process. This vulnerability poses a significant risk, as it requires no authentication and can be exploited in under 2 seconds from the first request.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/api/cli-tools/cowork-settings\u003c/code\u003e endpoint to register a malicious plugin. This endpoint is not protected by the Next.js middleware.\u003c/li\u003e\n\u003cli\u003eThe POST request contains a JSON payload with a \u003ccode\u003ecustomPlugins\u003c/code\u003e array. The \u003ccode\u003ename\u003c/code\u003e, \u003ccode\u003ecommand\u003c/code\u003e, and \u003ccode\u003eargs\u003c/code\u003e fields within the plugin definition are attacker-controlled.\u003c/li\u003e\n\u003cli\u003eThe server-side code in \u003ccode\u003esrc/app/api/cli-tools/cowork-settings/route.js\u003c/code\u003e extracts the \u003ccode\u003ecommand\u003c/code\u003e and \u003ccode\u003eargs\u003c/code\u003e from the JSON payload without proper validation.\u003c/li\u003e\n\u003cli\u003eThe extracted \u003ccode\u003ecommand\u003c/code\u003e and \u003ccode\u003eargs\u003c/code\u003e are then stored in the \u003ccode\u003eglobalThis.__9routerCustomPlugins\u003c/code\u003e map using the \u003ccode\u003eregisterCustomPlugin\u003c/code\u003e function in \u003ccode\u003esrc/lib/mcp/stdioSseBridge.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to the \u003ccode\u003e/api/mcp/[plugin]/sse\u003c/code\u003e endpoint, where \u003ccode\u003e[plugin]\u003c/code\u003e is the name of the malicious plugin registered in the previous steps.\u003c/li\u003e\n\u003cli\u003eThe server-side code in \u003ccode\u003esrc/app/api/mcp/[plugin]/sse/route.js\u003c/code\u003e retrieves the plugin definition from the \u003ccode\u003eglobalThis.__9routerCustomPlugins\u003c/code\u003e map using the provided plugin name.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003espawn\u003c/code\u003e function in \u003ccode\u003esrc/lib/mcp/stdioSseBridge.js\u003c/code\u003e is called with the attacker-controlled \u003ccode\u003ecommand\u003c/code\u003e and \u003ccode\u003eargs\u003c/code\u003e from the plugin definition.\u003c/li\u003e\n\u003cli\u003eThe arbitrary OS command is executed on the server, allowing the attacker to perform actions such as writing files, establishing reverse shells, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-46339 allows an unauthenticated attacker to achieve remote code execution on the 9router server. This can lead to full read access to the server\u0026rsquo;s filesystem, including sensitive files such as API keys, TLS private keys, Anthropic tokens (\u003ccode\u003e~/.claude/settings.json\u003c/code\u003e), and AWS credentials (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e, \u003ccode\u003e~/.aws/sso/cache/*.json\u003c/code\u003e). Attackers can also achieve arbitrary file write, persistence via cron/systemd, process termination, and resource exhaustion. The \u003ccode\u003edocker\u003c/code\u003e group membership may allow container escape leading to host root access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided remediation steps by patching the \u003ccode\u003esrc/proxy.js\u003c/code\u003e file to extend the middleware matcher to include \u003ccode\u003e/api/cli-tools/:path*\u003c/code\u003e and \u003ccode\u003e/api/mcp/:path*\u003c/code\u003e to prevent unauthenticated access.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003ecommand\u003c/code\u003e and \u003ccode\u003eargs\u003c/code\u003e fields in the \u003ccode\u003eregisterCustomPlugin\u003c/code\u003e function in \u003ccode\u003esrc/lib/mcp/stdioSseBridge.js\u003c/code\u003e to prevent execution of arbitrary commands.\u003c/li\u003e\n\u003cli\u003eSanitize the \u003ccode\u003ecustomPlugins\u003c/code\u003e at the API boundary in \u003ccode\u003esrc/app/api/cli-tools/cowork-settings/route.js\u003c/code\u003e to ensure that only authorized commands are executed.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect 9router Unauthenticated RCE via MCP Plugin Registration\u0026rdquo; to identify attempts to register malicious plugins via the \u003ccode\u003e/api/cli-tools/cowork-settings\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:22:37Z","date_published":"2026-05-19T19:22:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-9router-rce/","summary":"9router versions 0.4.30 to 0.4.33 are vulnerable to unauthenticated remote code execution, allowing network-adjacent attackers to execute arbitrary OS commands by registering and triggering malicious plugins through unprotected API endpoints.","title":"9router Unauthenticated Remote Code Execution via MCP Plugin Routes","url":"https://feed.craftedsignal.io/briefs/2026-05-9router-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — 9router (\u003e= 0.4.30, \u003c 0.4.37)","version":"https://jsonfeed.org/version/1.1"}