Unauthenticated Information Disclosure in 9Router by Decolua
CVE-2026-62328
8.7HIGH
What is CVE-2026-62328?
The 9Router software prior to version 0.4.41 presents an unauthenticated information disclosure vulnerability, permitting unprivileged remote actors to extract sensitive user data. By issuing requests to exposed API endpoints lacking proper authentication, attackers can systematically enumerate paginated request logs. This can lead to the inadvertent retrieval of comprehensive AI conversation histories including system prompts, user messages, assistant responses, tool invocations, and user email addresses. The absence of authentication middleware on the request-logs and request-details API routes significantly increases the risk of undesirable access to personal information.
Affected Version(s)
9Router 0 <= 0.4.41
