CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-vjc7-jrh9-9j86: 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

criticalCVSS 10
title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, /api/usage/stats exposes full plaintext API keys, and /api/usage/request-logs + /api/usage/request-details expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication. Affected Endpoints | Endpoint | Method | Issue | |---|---|---| | /api/providers | GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs | | /api/providers/:id | GET | Read any single provider detail (IDOR) | | /api/providers | POST | Create arbitrary provider connections with attacker-controlled API keys | | /api/providers/:id | PUT | Modify any existing provider connection | | /api/providers/:id | DELETE | Delete any provider connection | | /api/usage/stats | GET | Exposes full plaintext API keys, per-account usage breakdown, cost data | | /api/usage/request-logs | GET | Exposes all users' request logs (model, tokens, cost, timestamp, provider) | | /api/usage/request-details/:id | GET | Exposes full conversation turns including system prompts, user messages, assistant responses | | /api/version | GET | Exposes current version info | | /api/models | GET | Exposes full model routing catalog | | /api/v1/models | GET | Exposes model list | Impact Critical: Provider CRUD without authentication An attacker can: 1. Add a malicious provider — inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router 2. Modify existing providers — replace API keys with attacker-controlled ones, redirect traffic 3. Delete all pr

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 10
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-vjc7-jrh9-9j86

More from GitHub Security Advisories