Home

Description

9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.

PUBLISHED Reserved 2026-07-07 | Published 2026-07-13 | Updated 2026-07-14 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version
affected

Credits

Ngô Tấn Tài (@newnol) reporter

References

github.com/...router/security/advisories/GHSA-vjc7-jrh9-9j86 exploit

github.com/...router/security/advisories/GHSA-vjc7-jrh9-9j86 (GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)) vendor-advisory

www.vulncheck.com/...nticated-api-exposure-via-api-providers (VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers) third-party-advisory

cve.org (CVE-2026-59801)

nvd.nist.gov (CVE-2026-59801)

Download JSON