CVE-2026-49234 | THREATINT

Description

When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks.

PUBLISHED Reserved 2026-05-28 | Published 2026-06-08 | Updated 2026-06-08 | Assigner NLnet Labs

HIGH: 8.2CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Problem types

CWE-20 Improper Input Validation

Product status

Default status

affected

0.15.2 (semver) before *

unaffected

Timeline

2026-03-28:	Issue reported
2026-06-08:	Fixes released

Credits

X41 D-Sec GmbH finder

References

www.nlnetlabs.nl/downloads/routinator/CVE-2026-49234.txt vendor-advisory

cve.org (CVE-2026-49234)

nvd.nist.gov (CVE-2026-49234)

Download JSON