EXECUTIVE SUMMARY:
CVE-2026-49352 with a CVSS score of 9.8 is a authentication bypass vulnerability affecting the npm/9router framework across versions. This flaw occurs because the application utilizes a publicly known hardcoded string as a fallback JWT secret whenever the `JWT_SECRET` environment variable is not explicitly configured by the administrator. An unauthenticated remote attacker can exploit this weakness by crafting a forged `auth_token` cookie signed with the default secret, requiring no prior privileges or internal network access. Upon successful exploitation, the attacker gains full administrative control over the dashboard and API interfaces, enabling them to steal sensitive API keys, alter credentials, and disrupt service operations. The business impact is severe, potentially resulting in the complete compromise of the application and exposure of critical data assets. Notably, this condition is only exploitable on servers where the deployment process omitted the necessary environment variable configuration, leaving the instance reliant on the insecure default value.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49352 with a CVSS score of 9.8 is a authentication bypass vulnerability affecting the npm/9router framework across versions. This flaw occurs because the application utilizes a publicly known hardcoded string as a fallback JWT secret whenever the `JWT_SECRET` environment variable is not explicitly configured by the administrator. An unauthenticated remote attacker can exploit this weakness by crafting a forged `auth_token` cookie signed with the default secret, requiring no prior privileges or internal network access. Upon successful exploitation, the attacker gains full administrative control over the dashboard and API interfaces, enabling them to steal sensitive API keys, alter credentials, and disrupt service operations. The business impact is severe, potentially resulting in the complete compromise of the application and exposure of critical data assets. Notably, this condition is only exploitable on servers where the deployment process omitted the necessary environment variable configuration, leaving the instance reliant on the insecure default value.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jphh-m39h-6gwx