SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-59801 2026-07-13

CVE-2026-59801: Unauthenticated Provider API Exposure in 9Router

"9Router through version 0.4.41 exposes its provider management API without any authentication, letting remote attackers steal AI provider credentials, hijack traffic, or wipe all connections."

9Router through version 0.4.41 exposes its provider management API without any authentication, letting remote attackers steal AI provider credentials, hijack traffic, or wipe all connections.

What Is It

CVE-2026-59801 is an unauthenticated access vulnerability (CWE-306, Missing Authentication for a Critical Function) in 9Router, an npm-distributed AI routing application from decolua. The Next.js API routes under src/app/api/providers/* lack authentication middleware, so remote attackers can send requests to provider management endpoints without any credentials. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required.

Why It Matters

With no credentials required, an attacker can enumerate, create, modify, or delete provider connections. This exposes partial credentials, OAuth tokens, and API keys, and allows attackers to redirect AI traffic to attacker-controlled servers. It also enables complete denial of service by deleting all provider connections. The flaw affects confidentiality, integrity, and availability equally; a rare full-impact combination that makes exploitation both high-value and low-effort.

What's Vulnerable

Patch Status

This CVE was published on 2026-07-13 with a vulnerability status of "Received." A GitHub security advisory (GHSA-vjc7-jrh9-9j86) and a VulnCheck advisory have been issued. The supplied source material does not confirm a fixed version, and there is no CISA KEV entry accompanying this record, so active exploitation is not confirmed in the provided data. Administrators running 9Router should restrict network access to the provider API and monitor the linked advisories for a patched release.

Sources