Unauthenticated API Key Exposure in 9Router by Decolua
CVE-2026-62327
9.3CRITICAL
What is CVE-2026-62327?
The 9Router product through version 0.4.41 experiences a vulnerability that permits remote attackers to gain access to plaintext API keys for all connected AI provider accounts. This is achievable by crafting a single unauthenticated request to the /api/usage/stats endpoint. The absence of authentication middleware in the Next.js API route allows attackers to extract complete API key strings, alongside valuable data such as token counts, cost analyses, and request details. Consequently, this vulnerability can lead to unauthorized exploitation of AI provider accounts, potential billing fraud, and exhaustion of usage quotas.
Affected Version(s)
9Router 0 <= 0.4.41
