Unauthenticated Access Vulnerability in 9Router by Decolua
CVE-2026-59801
9.3CRITICAL
What is CVE-2026-59801?
The 9Router application prior to version 0.4.41 has a critical flaw that allows remote attackers to exploit unauthenticated access to the provider management API. This vulnerability enables attackers to send requests without valid credentials due to the absence of authentication middleware in specific Next.js API routes. Exploitation can lead to the enumeration, creation, modification, or deletion of provider connections, resulting in the exposure of sensitive information such as OAuth tokens and API keys. Additionally, attackers could redirect AI traffic to malicious servers and trigger a complete denial of service by removing all provider connections.
Affected Version(s)
9Router 0 <= 0.4.41
