PT-2026-57884 · 9Router · 9Router
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-59801
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
9Router versions prior to 0.4.42
Description
An unauthenticated access issue exists due to missing authentication middleware in the Next.js API routes located under
src/app/api/providers/*. This allows remote attackers to interact with provider management API endpoints without credentials. Exploitation enables the enumeration, creation, modification, or deletion of provider connections, which can lead to the exposure of partial credentials, OAuth tokens, and API keys. Additionally, attackers could redirect AI traffic to servers under their control or cause a complete denial of service by deleting all provider connections.Recommendations
Update 9Router to version 0.4.42 or later.
Restrict access to the
src/app/api/providers/* API endpoints as a temporary mitigation measure.Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
9Router