CVE-2026-62328

decolua · 9Router

9Router is vulnerable to unauthenticated information disclosure through API usage endpoints, resulting from missing authorization and improper exposure of sensitive data.

Executive summary

An unauthenticated information disclosure vulnerability in 9Router allows unauthorized access to sensitive private data via API endpoints.

Vulnerability

This vulnerability stems from missing authorization checks, which allows an unauthenticated attacker to access private personal information via API usage endpoints.

Business impact

The CVSS score of 7.5 reflects the high risk posed by unauthenticated access to sensitive data. A successful exploit could lead to a significant data breach, compromising user privacy and potentially violating regulatory compliance requirements regarding data protection.

Remediation

Immediate Action: Upgrade to a version beyond 0.4.41 as soon as the vendor provides a security update, or apply the latest available version if a fix has been integrated.

Proactive Monitoring: Review API access logs for unauthorized requests or suspicious patterns targeting usage endpoints to identify potential reconnaissance or exploitation attempts.

Compensating Controls: Implement strict network-level access controls or API gateway authentication to restrict access to sensitive endpoints until a permanent software patch can be applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the ease of exploitation for unauthenticated API vulnerabilities, organizations utilizing 9Router should treat this as a high-priority item. Immediate steps to restrict network access to the affected API endpoints are recommended until the vendor releases a formal security patch.