CVE-2026-59801
decolua · 9Router
A missing authentication vulnerability in decolua 9Router allows unauthenticated remote attackers to interact with management API endpoints.
Executive summary
Unauthenticated access to 9Router API endpoints allows remote attackers to manipulate provider connections, potentially exposing credentials and hijacking traffic.
Vulnerability
The application lacks necessary authentication middleware in its Next.js API routes, specifically under src/app/api/providers/. This flaw (CWE-306) allows any unauthenticated user to perform administrative actions, including the deletion of connections or redirection of traffic.
Business impact
The ability to manipulate provider connections carries severe business consequences, including the theft of sensitive API keys and OAuth tokens. By redirecting AI traffic, attackers can intercept proprietary data or disrupt service operations, resulting in significant reputational and operational damage.
Remediation
Immediate Action: Update the 9Router instance to a version beyond 0.4.41 as soon as a patch is released by the vendor.
Proactive Monitoring: Review API access logs for unauthorized requests to the /api/providers/ endpoint, particularly those originating from unknown or suspicious IP addresses.
Compensating Controls: Implement network-level access controls to restrict access to the API endpoints to authorized IP addresses only until the software is updated.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
This vulnerability presents a high risk to data confidentiality and integrity. Organizations utilizing 9Router should treat this as a high-priority item, ensuring that management interfaces are not exposed to the public internet and that the software is updated immediately upon the availability of a fix.