CVE-2026-10269: Host Header Authorization Bypass in Decolua 9router
A vulnerability in decolua 9router allows an authenticated user to bypass authorization controls by manipulating the Host HTTP header. The flaw exists in the authentication logic of the dashboard guard component and can be exploited remotely by someone with valid login credentials. Affected versions up to 0.4.0 should be updated immediately to 0.4.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10269 is an improper authorization vulnerability affecting the isAuthenticated function in src/dashboardGuard.js of decolua 9router. The vulnerability stems from insufficient validation of the Host HTTP header, enabling an authenticated attacker to bypass authorization checks. The issue is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), indicating both privilege escalation and authorization logic defects. The CVSS 3.1 score of 6.3 (Medium) reflects the requirement for prior authentication, though the impact spans confidentiality, integrity, and availability.
Business impact
An authenticated attacker exploiting this vulnerability could gain unauthorized access to sensitive dashboard functions or data intended to be restricted by role-based controls. While the attack requires valid credentials, the ability to bypass Host-based authorization checks could allow lateral movement within the application, unauthorized data access, or modification of system settings. For organizations running decolua 9router in production environments, this represents a privilege escalation risk that could lead to unauthorized administrative actions or data breach scenarios.
Affected systems
Decolua 9router versions up to and including 0.4.0 are vulnerable. The affected component is the HTTP Header Handler responsible for authentication decisions. Version 0.4.1 and later contain the security fix. Organizations should inventory all instances of decolua 9router and verify current version numbers to determine exposure.
Exploitability
Exploitation requires an attacker to have valid authentication credentials and network access to the affected application. Once authenticated, the attacker can craft requests with a manipulated Host header to circumvent authorization controls. The attack vector is network-based and does not require user interaction or elevated privileges beyond standard authentication. However, the requirement for prior authentication does reduce the overall attack surface compared to pre-authentication vulnerabilities.
Remediation
Upgrade decolua 9router to version 0.4.1 or later. The patch is identified by commit hash 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Verify the upgrade against the official vendor advisory to confirm the correct patch application. Test authorization enforcement in your environment post-upgrade to ensure proper function of Host-based access controls.
Patch guidance
Update decolua 9router components to version 0.4.1 as confirmed in the official release notes or vendor advisory. Prioritize this update for systems in production or handling sensitive data. Consider staging the update in a test environment first to validate that dashboard authorization functionality operates correctly and that no downstream dependencies are affected. Monitor upgrade logs for any initialization errors related to the HTTP header handler.
Detection guidance
Monitor HTTP requests to the dashboard or authentication endpoints for suspicious Host header values that deviate from expected internal hostnames or IP addresses. Log authentication bypass attempts or unexpected authorization failures following successful login. Check for access to administrative functions or restricted resources by users whose roles do not normally permit such access. Review the dashboardGuard.js component logs if available to identify anomalous authorization decisions, particularly those correlated with non-standard Host headers.
Why prioritize this
Although this vulnerability carries a CVSS score of 6.3 (Medium severity), it warrants prioritization for organizations where decolua 9router controls access to critical systems or data. The combination of a straightforward exploitation method and potential for privilege escalation or lateral movement makes it a moderate business risk. The fact that a simple patch to version 0.4.1 exists with no reported breaking changes supports rapid remediation.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a Medium severity rating driven by the following factors: Attack Vector (Network), Access Complexity (Low), and Privilege Required (Low) indicate a readily exploitable flaw; however, the requirement for prior authentication limits the overall risk. The impact on Confidentiality, Integrity, and Availability (all Low) suggests localized compromise rather than catastrophic failure. The score does not account for business context; organizations with strict role-based access requirements or highly privileged user roles may experience amplified risk and should treat this vulnerability accordingly.
Frequently asked questions
Does this vulnerability allow unauthenticated access?
No. The vulnerability requires an attacker to possess valid authentication credentials. Once authenticated, the attacker can manipulate the Host header to bypass authorization checks, effectively escalating privileges or gaining access to restricted resources within the application.
What is the difference between this vulnerability and typical Host header injection?
Classic Host header injection often affects routing or session handling in multi-tenant environments. This vulnerability specifically impacts the isAuthenticated function's authorization logic, allowing an authenticated user to circumvent role-based access controls rather than gain initial access.
Are there any known exploits in the wild?
This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no publicly disclosed active exploitation has been reported as of the vulnerability publication date. However, the relatively low barrier to exploitation means affected organizations should not delay patching.
If we have network segmentation limiting dashboard access, are we protected?
Network segmentation provides defense-in-depth but does not fully mitigate this vulnerability. If an authenticated user on a segmented network accesses the dashboard, they can still manipulate Host headers to bypass authorization. The patch must be applied regardless of network architecture.
This analysis is based on the CVE record and official vendor information available as of the publication date. CVSS scores represent a standardized technical severity assessment and do not account for organizational risk context, business criticality, or existing compensating controls. Organizations should verify patch availability and compatibility with their specific decolua 9router deployment and dependencies. Exploit details, proof-of-concept code, and weaponized attack methods are not included in this analysis. For questions regarding your specific environment or incident response needs, consult a qualified security professional or the vendor directly. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController
- CVE-2026-10284MEDIUMImproper Authorization in DevaslanPHP Project-Management Comment Functions
- CVE-2026-10285MEDIUMDevaslanPHP Improper Authorization in Ticket Handler
- CVE-2026-10294MEDIUMPackageKit Authorization Bypass in versions up to 1.3.5