GHSA-VJC7-JRH9-9J86: Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

# security# cve# cybersecurity# ghsa
GHSA-VJC7-JRH9-9J86: Unauthenticated CRUD and Sensitive Data Exposure in 9Router API EndpointsCVE Reports

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints Vulnerability...

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

Vulnerability ID: GHSA-VJC7-JRH9-9J86
CVSS Score: 10.0
Published: 2026-07-06

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

TL;DR

Unauthenticated API endpoints in 9Router expose sensitive API keys, allow unauthorized configuration changes, and leak multi-turn conversation transcripts.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306, CWE-200, CWE-862
  • Attack Vector: Network
  • CVSS Score: 10.0
  • Impact: Total Access Control Bypass, Credential Harvest, Traffic Hijacking
  • Exploit Status: Proof of Concept available

Affected Systems

  • 9Router Dashboard Deployments
  • 9router: <= 0.4.41 (Fixed in: 0.4.45)

Mitigation Strategies

  • Deploy software updates beyond version 0.4.41 to secure administrative API routes.
  • Revoke and rotate all third-party API credentials entered into the dashboard.
  • Establish network-level boundaries (such as a VPN or private subnet) to prevent external access to the analytical dashboard interfaces.

Remediation Steps:

  1. Update 9Router dependencies and deployment instances to version 0.4.45 or newer.
  2. Access the developer consoles of all connected providers (OpenAI, Anthropic, etc.) to cancel current keys and issue replacements.
  3. Implement Next.js middleware handlers to intercept and drop unauthorized traffic hitting the '/api' routing boundaries.

References


Read the full report for GHSA-VJC7-JRH9-9J86 on our website for more details including interactive diagrams and full exploit analysis.