CVE-2026-62327 PUBLISHED

9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats

Assigner: VulnCheck
Reserved: 13.07.2026 Published: 13.07.2026 Updated: 14.07.2026

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata, enabling unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor decolua
Product 9Router
Versions Default: unaffected
  • affected from 0 to 0.4.41 (incl.)

Credits

  • Ngô Tấn Tài (@newnol) reporter

References

Problem Types

  • Missing Authentication for Critical Function CWE
  • Insufficiently Protected Credentials CWE