PT-2026-57884 · 9Router · 9Router

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-59801

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.4.42
Description An unauthenticated access issue exists due to missing authentication middleware in the Next.js API routes located under src/app/api/providers/*. This allows remote attackers to interact with provider management API endpoints without credentials. Exploitation enables the enumeration, creation, modification, or deletion of provider connections, which can lead to the exposure of partial credentials, OAuth tokens, and API keys. Additionally, attackers could redirect AI traffic to servers under their control or cause a complete denial of service by deleting all provider connections.
Recommendations Update 9Router to version 0.4.42 or later. Restrict access to the src/app/api/providers/* API endpoints as a temporary mitigation measure.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59801

Affected Products

9Router