CVE-2026-59801
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| decolua | 9Router | 0 <= 0.4.41 | affected |
Weaknesses
- CWE-306: Missing Authentication for Critical Function
References
- https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86
- https://www.vulncheck.com/advisories/9router-unauthenticated-api-exposure-via-api-providers
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.