Unauthenticated Access Vulnerability in 9Router by Decolua
CVE-2026-59801

9.3CRITICAL

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-59801?

The 9Router application prior to version 0.4.41 has a critical flaw that allows remote attackers to exploit unauthenticated access to the provider management API. This vulnerability enables attackers to send requests without valid credentials due to the absence of authentication middleware in specific Next.js API routes. Exploitation can lead to the enumeration, creation, modification, or deletion of provider connections, resulting in the exposure of sensitive information such as OAuth tokens and API keys. Additionally, attackers could redirect AI traffic to malicious servers and trigger a complete denial of service by removing all provider connections.

Affected Version(s)

9Router 0 <= 0.4.41

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngô Tấn Tài (@newnol)
.