CVE-2026-49234: Routinator API Denial of Service via Non-UTF-8 Input
Routinator, an open-source RPKI relying party software maintained by NLnet Labs, crashes when it receives a malformed (non-UTF-8 encoded) query parameter in API requests. An attacker sending a specially crafted string to the /api/v1/origins endpoint can trigger a denial-of-service condition that takes the service offline. The vulnerability only affects deployments that expose the Routinator API to untrusted networks without additional access controls.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49234 is an input validation flaw (CWE-20) in Routinator's API handler. The vulnerability exists in the /api/v1/origins endpoint, which fails to properly validate the select-asn query parameter before processing. When a non-UTF-8 encoded string is passed to this parameter, the application crashes rather than gracefully rejecting the malformed input. The crash results in complete unavailability of the Routinator service until manual restart. The issue requires no authentication and can be triggered remotely by any network-adjacent attacker with access to the exposed API port.
Business impact
Organizations relying on Routinator for RPKI validation in their BGP routing infrastructure face service interruption risk. Routinator is commonly deployed as a critical component in DNS security and internet routing validation workflows. A denial-of-service attack exploiting this flaw could prevent legitimate RPKI queries from being processed, potentially causing downstream routing policy validation to fail or stall. Recovery requires manual intervention and service restart, extending outage duration. The impact is amplified in environments where Routinator is not redundantly deployed.
Affected systems
NLnet Labs Routinator is affected across all versions that do not include the fix. Routinator is used by network operators, DNS providers, and security teams managing RPKI relying party infrastructure. The vulnerability applies specifically to instances where the API is accessible from untrusted networks. Organizations with API exposure limited to internal or trusted networks have reduced exposure, but should verify their network access controls.
Exploitability
Exploitability is high due to the absence of authentication requirements, low attack complexity, and the availability of network access to trigger the condition. An attacker needs only to craft a non-UTF-8 string and issue a single HTTP request—no special tools, credentials, or user interaction are required. The attack is reliable and deterministic once the vulnerable API endpoint is discovered and reachable. However, exploitation is limited to environments where Routinator's API is exposed to untrusted networks; air-gapped or internally-restricted deployments face lower risk.
Remediation
Apply the patched version of Routinator released by NLnet Labs following the June 17, 2026 advisory modification date. Verify against the official NLnet Labs GitHub repository and security advisories for the specific version number. In the interim, restrict API access to trusted networks only by implementing network-level access controls (firewall rules, VPN requirements, or API gateway authentication). Monitor for unusual API request patterns, particularly requests with non-UTF-8 characters in query parameters.
Patch guidance
NLnet Labs has issued updates addressing this input validation flaw. Check the official Routinator repository and security advisory for the patched version number and release date. Update procedures typically involve stopping the Routinator service, replacing the binary or pulling the latest container image, and restarting. Verify the fix by attempting to send a non-UTF-8 select-asn parameter to a test environment; the service should return a 400 Bad Request error rather than crashing. Test the update in a non-production environment first to confirm compatibility with your RPKI workflow.
Detection guidance
Monitor Routinator logs and system metrics for sudden service crashes or unexpected restarts correlated with API traffic spikes. Watch for HTTP requests to /api/v1/origins containing non-UTF-8 encoded characters in the select-asn parameter. Implement rate-limiting on the API endpoint to reduce the impact of repeated exploitation attempts. Network intrusion detection systems can be tuned to flag requests with invalid UTF-8 encoding patterns targeting Routinator API ports. Track process exit codes and restart frequency as early indicators of exploitation.
Why prioritize this
This vulnerability merits rapid remediation due to its HIGH CVSS score (7.5), lack of authentication requirement, and direct impact on critical routing infrastructure. While not yet on the CISA Known Exploited Vulnerabilities list, the ease of exploitation and availability of the vulnerable endpoint to remote attackers make it an attractive target. Organizations operating Routinator with API exposure should prioritize patching within their next maintenance window, particularly those without redundant RPKI validation infrastructure.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible, unauthenticated denial-of-service condition with complete impact on availability. The attack vector is network-based, attack complexity is low, and no privileges or user interaction are required. The scope is unchanged (only the vulnerable service is impacted), and there is no confidentiality or integrity loss—only availability. The score would be lower if the API required authentication or if the service degraded gracefully rather than crashing completely.
Frequently asked questions
Does this vulnerability affect Routinator instances with API disabled or not exposed to the network?
No. The vulnerability requires network access to the /api/v1/origins endpoint. If your Routinator deployment does not expose the API or listens only on localhost/internal interfaces, you are not at risk. Verify your Routinator configuration to confirm API exposure scope.
Can this vulnerability be exploited without prior knowledge of Routinator running on a system?
The vulnerability requires an attacker to discover that Routinator is running and accessible on a specific network port. However, once the service is found (via port scanning or network reconnaissance), exploitation is trivial and requires no additional reconnaissance. Restricting API access to trusted networks significantly reduces the likelihood of discovery.
What is the difference between patching and access control as a mitigation?
Patching fixes the underlying input validation flaw and allows the API to safely reject malformed requests. Network access control (firewall rules, VPN gating) prevents untrusted attackers from reaching the API in the first place. Both are recommended: apply the patch as a long-term fix, and implement access controls as an immediate interim measure until patching is complete.
Will this vulnerability cause data loss or compromise my RPKI certificates?
No. This is a denial-of-service flaw that crashes the service; it does not compromise stored RPKI data, keys, or the integrity of validation results. Your RPKI database and certificate store remain intact after a crash, and normal operation resumes after restart.
This analysis is based on publicly available information as of the CVE publication and modification dates. Exploit details are not provided. Organizations should verify patch availability and compatibility with their specific Routinator version and deployment architecture before applying updates. Network environment, access controls, and redundancy configurations materially affect risk and should be assessed independently. Consult NLnet Labs' official security advisory and repository for authoritative guidance on patching and affected versions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-0419HIGHNETGEAR JR6150 Command Injection via Insufficient Input Validation
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)