Skip to main content

9router EUVDEUVD-2026-42928

| CVE-2026-55500 CRITICAL
Information Exposure (CWE-200)
2026-07-06 https://github.com/decolua/9router GHSA-qvfm-67h2-2qfx
9.9
CVSS 3.1 · Vendor: https://github.com/decolua/9router
Share

Severity by source

Vendor (https://github.com/decolua/9router) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Remote endpoint reachable with any valid session (PR:L, AC:L, UI:N); leaked provider credentials enable downstream compromise (S:C) with full read (C:H), overwrite (I:H), and wipe (A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N

Primary rating from Vendor (https://github.com/decolua/9router).

CVSS VectorVendor: https://github.com/decolua/9router

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 18:01 EUVD
Analysis Generated
Jul 06, 2026 - 22:22 vuln.today
CVE Published
Jul 06, 2026 - 21:37 github-advisory
CRITICAL 9.9

DescriptionCVE.org

Summary

The /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. Combined with other vulnerabilities (e.g., default password, tunnel exposure), this enables complete database takeover.

Description

The endpoint /api/settings/database is listed in ALWAYS_PROTECTED in dashboardGuard.js (line 42), which requires a valid JWT token or CLI token. However, this protection is insufficient because:

  1. GET (Export): Returns the complete database including API keys (key field in apiKeys table), OAuth tokens, and all provider credentials. Line 80 in src/lib/db/index.js: apiKeys: db.all("SELECT * FROM apiKeys").map(...) - the key field contains the plaintext API key value.
  2. POST (Import): Accepts arbitrary JSON and performs a complete database wipe-and-replace in a transaction (lines 102-163 in src/lib/db/index.js). This replaces all settings including the password hash, effectively allowing an attacker to set their own password.
  3. The exported data includes apiKeys with their plaintext key values, providerConnections with all OAuth tokens, and settings with OIDC client secrets.

Evidence

File: src/app/api/settings/database/route.js

javascript
export async function GET() {
  const payload = await exportDb();
  return NextResponse.json(payload);
}

export async function POST(request) {
  const payload = await request.json();
  await importDb(payload);
  // ...
}

File: src/lib/db/index.js (lines 96-163)

javascript
export async function importDb(payload) {
  db.transaction(() => {
    // Wipe all tables
    db.run(`DELETE FROM settings`);
    db.run(`DELETE FROM providerConnections`);
    db.run(`DELETE FROM providerNodes`);
    db.run(`DELETE FROM proxyPools`);
    db.run(`DELETE FROM apiKeys`);
    db.run(`DELETE FROM combos`);
    db.run(`DELETE FROM kv WHERE scope IN (...)`);
    // Then insert attacker-controlled data
    // ...
  });
}

The exportDb function at line 80 exposes API key plaintext:

javascript
apiKeys: db.all(`SELECT * FROM apiKeys`).map((r) => ({
  id: r.id, key: r.key, name: r.name, ...
})),

Steps to Reproduce

  1. Authenticate with any valid JWT (e.g., using the default password "123456")
  2. Export: curl -b auth_token=<jwt> http://localhost:20128/api/settings/database
  3. Observe: Full database dump with all credentials in plaintext
  4. Import malicious data: curl -X POST -b auth_token=<jwt> -H "Content-Type: application/json" -d '<modified-db>' http://localhost:20128/api/settings/database
  5. All settings, passwords, API keys are now replaced with attacker-controlled values

Impact

  • Confidentiality: Complete exposure of all stored secrets (API keys, OAuth tokens, OIDC client secrets)
  • Integrity: Complete database replacement with attacker-controlled data
  • Availability: Database wipe is possible by importing an empty database
  • Scope Changed: Importing new settings affects all users and downstream services

Recommended Fix

  1. Require re-authentication for database export/import (not just an existing session)
  2. Mask/redact API keys in export (or require explicit opt-in for key export)
  3. Add confirmation step for import (require current password verification)
  4. Implement database backup before import
  5. Log all export/import operations with audit trail

AnalysisAI

Complete database export and overwrite in the 9router npm application is possible for any authenticated user via the /api/settings/database endpoint, which is guarded only by the ALWAYS_PROTECTED session check (JWT or CLI token). A low-privileged attacker can GET the full database - including plaintext API keys, OAuth tokens, and OIDC client secrets - and POST an attacker-crafted database that wipes and replaces all tables, including the password hash, yielding total takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach exposed 9router dashboard
Delivery
Authenticate with default password 123456
Exploit
GET /api/settings/database export
Install
Exfiltrate plaintext keys and OAuth tokens
C2
POST attacker-crafted database
Execute
Overwrite password hash and settings
Impact
Pivot into downstream provider accounts

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session - a JWT (auth_token cookie) or CLI token accepted by the ALWAYS_PROTECTED middleware in dashboardGuard.js - so it is NOT unauthenticated (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals mostly align toward high severity but with an important nuance on privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains a session on a 9router instance - for example by logging in with the unchanged default password '123456' on an exposed dashboard - sends GET /api/settings/database and receives a full JSON dump containing plaintext API keys, OAuth tokens, and OIDC secrets. They then POST a modified database to the same endpoint, overwriting the stored password hash and settings to lock out the owner and persist control, and reuse the leaked credentials to pivot into connected downstream provider accounts. …
Remediation No vendor-released patched version was identified at time of analysis, so remediation currently rests on configuration and the maintainer's recommended code fixes in GHSA-qvfm-67h2-2qfx. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all 9router deployments and verify whether default credentials have been changed; immediately isolate or disable instances using password '123456'. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy