Unauthenticated API Key Exposure in 9Router by Decolua
CVE-2026-62327

9.3CRITICAL

Key Information:

Vendor

Decolua

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-62327?

The 9Router product through version 0.4.41 experiences a vulnerability that permits remote attackers to gain access to plaintext API keys for all connected AI provider accounts. This is achievable by crafting a single unauthenticated request to the /api/usage/stats endpoint. The absence of authentication middleware in the Next.js API route allows attackers to extract complete API key strings, alongside valuable data such as token counts, cost analyses, and request details. Consequently, this vulnerability can lead to unauthorized exploitation of AI provider accounts, potential billing fraud, and exhaustion of usage quotas.

Affected Version(s)

9Router 0 <= 0.4.41

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngô Tấn Tài (@newnol)
.