Back to overview

CVE-2026-62328

HIGH
7.5
CVSS 3.1
Description
9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.

Metadata

CVE ID
CVE-2026-62328
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-13 21:36 UTC
Published
2026-07-13 21:37 UTC
Last updated
2026-07-13 21:37 UTC
Primary CWE
CWE-862
Missing Authorization
Vendor / Product
decolua / 9Router
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
decolua 9Router 0 ≤ 0.4.41
Weakness (CWE)
CWESourceDescription
CWE-359 cna Exposure of Private Personal Information to an Unauthorized Actor
CWE-862 cna Missing Authorization
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References (2)
Back to overview