PT-2026-57906 · 9Router · 9Router

Published

2026-07-13

·

Updated

2026-07-14

·

CVE-2026-62327

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.4.42
Description An unauthenticated information disclosure issue exists where remote attackers can retrieve plaintext API keys for all connected AI provider accounts. This occurs due to missing authentication middleware on the Next.js API route at the '/api/usage/stats' endpoint. Exploitation allows the retrieval of full API key strings, token counts, cost breakdowns, and request metadata, which can lead to unauthorized account usage, billing fraud, and quota exhaustion.
Recommendations Update 9Router to version 0.4.42 or later. As a temporary mitigation, restrict access to the '/api/usage/stats' endpoint.

Fix

Insufficiently Protected Credentials

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62327

Affected Products

9Router