Vulnerability DatabaseCVE-2026-9495
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-9495
Published:May 26, 2026
Updated:June 11, 2026
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.
Affected Packages
https://github.com/koajs/router.git (GITHUB):
Affected version(s) =v14.0.0 <v15.0.0
Fix Suggestion:
Update to version v15.0.0
@koa/router (NPM):
Affected version(s) =14.0.0 <15.0.0
Fix Suggestion:
Update to version 15.0.0
Related Resources (3)
https://github.com/koajs/router/pull/206
https://github.com/koajs/router/commit/d53e17f284557b1f417946f9807ee52290c3c759
https://github.com/koajs/router/issues/202
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
7.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Access Control
CWE-284
EPSS
Base Score:
0.10