Cyber Posture

CVE-2026-5842

High

Published: 09 April 2026

Published
09 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0006 18.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5842 is a high-severity Improper Authorization (CWE-285) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the authorization bypass flaw through patching to version 0.3.75.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to administrative API endpoints, directly countering the authorization bypass vulnerability.

AC-6 Least Privilege partial match
prevent

Limits privileges to only those essential for administrative functions, reducing the impact of any successful authorization bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Authorization bypass in public-facing administrative API endpoint enables remote exploitation without credentials, directly matching T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to…

more

be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.

Deeper analysisAI

CVE-2026-5842 is an authorization bypass vulnerability affecting decolua 9router versions up to 0.3.47. The issue resides in an unknown function within the /api file of the Administrative API Endpoint component. This flaw, associated with CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as High severity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows bypassing authorization controls, potentially granting unauthorized access to administrative functions and leading to limited impacts on confidentiality, integrity, and availability.

Mitigation is addressed by upgrading to decolua 9router version 0.3.75, as detailed in the project's GitHub release notes. Security advisories in GitHub issue #431 and related comments confirm the fix and discuss the vulnerability.

The exploit has been publicly disclosed, with a proof-of-concept available in a public GitHub repository, increasing the risk of active exploitation.

Details

CWE(s)
CWE-285CWE-639

CVEs Like This One

CVE-2025-15582Shared CWE-285, CWE-639
CVE-2024-50617Shared CWE-285
CVE-2023-53914Shared CWE-639
CVE-2025-10855Shared CWE-639
CVE-2025-0352Shared CWE-639
CVE-2026-3124Shared CWE-639
CVE-2025-10024Shared CWE-639
CVE-2026-40246Shared CWE-285
CVE-2024-50693Shared CWE-639
CVE-2025-7013Shared CWE-639

References