Database Export and Import Vulnerability in 9Router by Decolua
CVE-2026-55500

9.9CRITICAL

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55500?

The 9Router, an AI-driven router and token management tool, contains a significant vulnerability in its '/api/settings/database' endpoint prior to version 0.4.80. This flaw permits unauthorized full database exports and imports, allowing malicious actors to access sensitive information such as credentials, API keys, and OAuth tokens, all without proper authentication. The issue arose due to an inadequate authentication mechanism that relied solely on the ALWAYS_PROTECTED middleware, which merely verifies JWT or CLI tokens. Users are strongly advised to upgrade to version 0.4.80, where this vulnerability has been addressed.

Affected Version(s)

9router < 0.4.80

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.