Back to overview

CVE-2026-59801

CRITICAL
9.8
CVSS 3.1
Description
9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.

Metadata

CVE ID
CVE-2026-59801
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-07 14:39 UTC
Published
2026-07-13 21:30 UTC
Last updated
2026-07-13 21:30 UTC
Primary CWE
CWE-306
Missing Authentication for Critical Function
Vendor / Product
decolua / 9Router
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
decolua 9Router 0 ≤ 0.4.41
Weakness (CWE)
CWESourceDescription
CWE-306 cna Missing Authentication for Critical Function
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (2)
Back to overview