GHSA-qvfm-67h2-2qfx: 9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Summary
The /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. Combined with other vulnerabilities (e.g., default password, tunnel exposure), this enables complete database takeover.
Description
The endpoint /api/settings/database is listed in ALWAYS_PROTECTED in dashboardGuard.js (line 42), which requires a valid JWT token or CLI token. However, this protection is insufficient because:
1. GET (Export): Returns the complete database including API keys (key field in apiKeys table), OAuth tokens, and all provider credentials. Line 80 in src/lib/db/index.js: apiKeys: db.all("SELECT * FROM apiKeys").map(...) — the key field contains the plaintext API key value.
2. POST (Import): Accepts arbitrary JSON and performs a complete database wipe-and-replace in a transaction (lines 102-163 in src/lib/db/index.js). This replaces all settings including the password hash, effectively allowing an attacker to set their own password.
3. The exported data includes apiKeys with their plaintext key values, providerConnections with all OAuth tokens, and settings with OIDC client secrets.
Evidence
File: src/app/api/settings/database/route.js
export async function GET() {
const payload = await exportDb();
return NextResponse.json(payload);
}
export async function POST(request) {
const payload = await request.json();
await importDb(payload);
// ...
}
File: src/lib/db/index.js (lines 96-163)
export async function importDb(payload) {
db.transaction(() => {
// Wipe all tables
db.run(DELETE FROM settings);
db.run(DELETE FROM providerConnections);
db.run(DELETE FROM providerNodes);
db.run(DELETE FROM proxyPools);
db.run(DELETE FROM apiKeys);
db.run(DELETE FROM combos);
db.run(DELETE FROM kv WHERE scope IN (...));
// Then insert attacker-contr
Details
Original advisory: https://github.com/advisories/GHSA-qvfm-67h2-2qfx
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55500 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10