Skip to main content

9Router CVE-2026-62328

HIGH
Missing Authorization (CWE-862)
2026-07-13 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Endpoints are network-reachable with no auth or interaction (AV:N/AC:L/PR:N/UI:N); this CVE covers only unauthenticated data disclosure, so C:H with I:N/A:N despite the advisory's broader CRUD impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 22:11 vuln.today
Analysis Generated
Jul 13, 2026 - 22:11 vuln.today
CVE Published
Jul 13, 2026 - 21:37 cve.org
HIGH 8.7

DescriptionCVE.org

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.

AnalysisAI

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed 9Router dashboard
Delivery
GET /api/usage/request-logs unauthenticated
Exploit
Enumerate paginated log IDs
Execution
GET /api/usage/request-details/:id per log
Persist
Harvest conversations, emails, API keys
Impact
Reuse stolen provider keys

Vulnerability AssessmentAI

Exploitation The prerequisite is simply network reachability to a running 9Router instance (version ≤ 0.4.41) whose /api/usage/* endpoints are exposed; the specific enabling condition is that the request-logs and request-details (and stats/providers) API routes lack authentication middleware, so no credentials, session, tokens, or user interaction are needed - no special conditions beyond reaching the HTTP service in a default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a genuine high-priority exposure where the product is deployed: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:H) describes trivial remote, unauthenticated reads with high confidentiality impact and a base score of 8.7, and CWE-862 with the endpoint-level advisory evidence corroborates that no auth is required against default deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet-exposed 9Router dashboard sends an unauthenticated GET to /api/usage/request-logs, pages through the returned log IDs, and then requests /api/usage/request-details/:id for each to harvest complete AI conversations, system prompts, tool calls, and user email addresses. Pivoting to /api/usage/stats yields plaintext provider API keys, which the attacker reuses to bill against or impersonate the victim's AI provider accounts. …
Remediation No vendor-released patch identified at time of analysis - the GHSA advisory records the fixed version as None, so an upgrade target cannot be cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all 9Router instances by testing network accessibility to /api/usage/request-logs endpoint from your perimeter; confirm all running versions ≤0.4.41 and document affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-59801 CRITICAL POC
9.3 Jul 13

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential

CVE-2026-5842 MEDIUM POC
5.5 Apr 09

Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t

CVE-2026-62327 CRITICAL
9.3 Jul 13

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote

CVE-2026-62312 HIGH
8.8 Jul 15

Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the h

CVE-2026-56679 HIGH
8.7 Jul 15

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio

CVE-2026-55638 HIGH
8.6 Jul 10

Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect

CVE-2026-56675 HIGH
8.3 Jul 10

Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p

CVE-2026-55641 HIGH
8.2 Jul 10

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo

CVE-2026-56676 HIGH
7.4 Jul 10

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-prox

CVE-2026-56678 MEDIUM
6.4 Jul 15

Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir

CVE-2026-10269 MEDIUM
5.3 Jun 01

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW

Share

CVE-2026-62328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy