9Router
CVE-2026-62327
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network GET with no interaction (AV:N/AC:L/PR:N/UI:N) yields high confidentiality via plaintext key leak; the endpoint itself is read-only, so I:N/A:N for this specific disclosure.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata, enabling unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion.
AnalysisAI
Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to a running 9Router instance (version <= 0.4.41) with its Next.js dashboard exposed; the specific prerequisite is HTTP access to the /api/usage/stats route, which ships with no authentication middleware. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are strongly aligned toward high real-world severity for deployed instances: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:H/VI:H) describes trivial network-reachable, unauthenticated, no-interaction exploitation, and the flaw is a deterministic single-request read rather than a probabilistic memory-corruption bug, so exploitation is effectively guaranteed once an instance is reachable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for internet-exposed 9Router dashboards and sends a single unauthenticated GET to /api/usage/stats, receiving every connected provider's full 'sk-...' API key in the JSON response. They then replay those keys directly against the upstream AI providers to run inference on the victim's dime (billing fraud) and exhaust quotas, and optionally POST to /api/providers to insert an attacker-controlled proxy that captures future prompts and responses. … |
| Remediation | No vendor-released patch identified at time of analysis (advisory states 'fixed in: None'), so upgrading is not currently an option; monitor the GitHub advisory GHSA-vjc7-jrh9-9j86 (https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86) and the VulnCheck advisory (https://www.vulncheck.com/advisories/9router-unauthenticated-api-key-exposure-via-api-usage-stats) for a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all 9router ≤0.4.41 deployments via npm dependency scanning, immediately revoke and rotate all AI provider API keys across all connected services, and isolate affected instances from production traffic. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential
Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t
Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the h
Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev
Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio
Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect
Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p
Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo
Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-prox
Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir
Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today