Database Export and Import Vulnerability in 9Router by Decolua
CVE-2026-55500
9.9CRITICAL
What is CVE-2026-55500?
The 9Router, an AI-driven router and token management tool, contains a significant vulnerability in its '/api/settings/database' endpoint prior to version 0.4.80. This flaw permits unauthorized full database exports and imports, allowing malicious actors to access sensitive information such as credentials, API keys, and OAuth tokens, all without proper authentication. The issue arose due to an inadequate authentication mechanism that relied solely on the ALWAYS_PROTECTED middleware, which merely verifies JWT or CLI tokens. Users are strongly advised to upgrade to version 0.4.80, where this vulnerability has been addressed.
Affected Version(s)
9router < 0.4.80
