9Router through version 0.4.41 exposes its provider management API without any authentication, letting remote attackers steal AI provider credentials, hijack traffic, or wipe all connections.
What Is It
CVE-2026-59801 is an unauthenticated access vulnerability (CWE-306, Missing Authentication for a Critical Function) in 9Router, an npm-distributed AI routing application from decolua. The Next.js API routes under src/app/api/providers/* lack authentication middleware, so remote attackers can send requests to provider management endpoints without any credentials. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required.
Why It Matters
With no credentials required, an attacker can enumerate, create, modify, or delete provider connections. This exposes partial credentials, OAuth tokens, and API keys, and allows attackers to redirect AI traffic to attacker-controlled servers. It also enables complete denial of service by deleting all provider connections. The flaw affects confidentiality, integrity, and availability equally; a rare full-impact combination that makes exploitation both high-value and low-effort.
What's Vulnerable
- Product: 9Router (npm package
pkg:npm/9router), vendor decolua - Affected versions: all releases through 0.4.41 (version 0 up to and including 0.4.41)
- Root cause: missing authentication middleware on the
src/app/api/providers/*Next.js API routes
Patch Status
This CVE was published on 2026-07-13 with a vulnerability status of "Received." A GitHub security advisory (GHSA-vjc7-jrh9-9j86) and a VulnCheck advisory have been issued. The supplied source material does not confirm a fixed version, and there is no CISA KEV entry accompanying this record, so active exploitation is not confirmed in the provided data. Administrators running 9Router should restrict network access to the provider API and monitor the linked advisories for a patched release.