CVE-2026-9495 | THREATINT

Description

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.

PUBLISHED Reserved 2026-05-25 | Published 2026-05-26 | Updated 2026-05-26 | Assigner snyk

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

Problem types

Access Control Bypass

Credits

Ryan Mitchell

References

github.com/koajs/router/pull/206 exploit

security.snyk.io/vuln/SNYK-JS-KOAROUTER-12215044

github.com/koajs/router/issues/202

github.com/koajs/router/pull/206

github.com/...ommit/d53e17f284557b1f417946f9807ee52290c3c759

cve.org (CVE-2026-9495)

nvd.nist.gov (CVE-2026-9495)

Download JSON