CVE-2026-62327
decolua · 9Router
The decolua 9Router /api/usage/stats endpoint lacks authentication, allowing unauthenticated attackers to retrieve plaintext API keys for connected AI accounts.
Executive summary
A critical unauthenticated information disclosure flaw in decolua 9Router allows attackers to steal sensitive AI provider API keys.
Vulnerability
This is a combination of missing authentication for critical functions (CWE-306) and insufficiently protected credentials (CWE-522). The application exposes sensitive API strings and usage metadata via an unauthenticated API route.
Business impact
Exploitation allows attackers to hijack third-party AI provider accounts, leading to unauthorized usage, billing fraud, and potential exhaustion of usage quotas. Given the CVSS score of 9.1, the financial and operational impact to organizations relying on these integrations is high.
Remediation
Immediate Action: Update decolua 9Router to the latest version (post-0.4.41) as specified by the vendor advisory.
Proactive Monitoring: Monitor API logs for unusual access patterns to the /api/usage/stats endpoint and check AI provider dashboards for anomalous usage spikes.
Compensating Controls: Revoke and rotate all existing AI provider API keys currently managed by the 9Router software as a precautionary measure.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the ease of exploitation and the high impact of credential theft, users must update their 9Router instances immediately. Furthermore, all API keys stored within the application should be considered compromised and must be rotated following the update.