PT-2026-57906 · 9Router · 9Router
Published
2026-07-13
·
Updated
2026-07-14
·
CVE-2026-62327
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
9Router versions prior to 0.4.42
Description
An unauthenticated information disclosure issue exists where remote attackers can retrieve plaintext API keys for all connected AI provider accounts. This occurs due to missing authentication middleware on the Next.js API route at the '/api/usage/stats' endpoint. Exploitation allows the retrieval of full API key strings, token counts, cost breakdowns, and request metadata, which can lead to unauthorized account usage, billing fraud, and quota exhaustion.
Recommendations
Update 9Router to version 0.4.42 or later.
As a temporary mitigation, restrict access to the '/api/usage/stats' endpoint.
Fix
Insufficiently Protected Credentials
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
9Router