9routers Database Exposure and Takeover via Insecure API
A critical vulnerability (CVE-2026-55500) in 9routers versions <= 0.4.71 allows authenticated attackers with a valid JWT token to export the complete database containing plaintext credentials and secrets, and to import a modified database, leading to full system takeover and credential theft.
A critical vulnerability, tracked as CVE-2026-55500, has been identified in 9routers versions 0.4.71 and earlier. This flaw resides in the /api/settings/database API endpoint, which is intended for database export and import functionalities. Despite being protected by an ALWAYS_PROTECTED middleware requiring a valid JWT or CLI token, this protection is deemed insufficient. An attacker, having obtained a valid token (potentially through default credentials like "123456" or other means), can exploit this endpoint to perform a full export of the application's database. This export includes highly sensitive information such as plaintext API keys, OAuth tokens, OIDC client secrets, and hashed user credentials. Furthermore, the attacker can import a modified database, enabling a complete wipe and overwrite of the existing database, which can be leveraged to replace administrator password hashes, gain persistent access, and achieve full system takeover. This vulnerability poses a severe risk to the confidentiality, integrity, and availability of affected 9router instances.
Attack Chain
- Initial Access / Credential Acquisition: An attacker identifies an accessible 9router instance and obtains an initial valid JWT or CLI token, potentially leveraging default credentials (e.g., '123456') or other initial access methods.
- Reconnaissance / Sensitive Endpoint Access: Using the acquired token, the attacker sends an HTTP GET request to the
/api/settings/databaseendpoint to understand its functionality and extract current configuration. - Data Exfiltration / Credential Dumping: The vulnerable endpoint responds with a full database export, providing the attacker with highly sensitive information, including plaintext API keys, OAuth tokens, OIDC client secrets, and hashed user credentials.
- Data Manipulation: The attacker analyzes the exfiltrated database content, identifies critical entries (such as administrator password hashes), and modifies them to establish their own privileged access.
- Privilege Escalation / Persistence (Database Import): The attacker crafts an HTTP POST request containing the manipulated database payload and sends it to the
/api/settings/databaseendpoint, authenticating with their valid token. - System Control / Database Overwrite: The 9router application processes this malicious import request, completely overwriting its operational database with the attacker's controlled data, including new administrator credentials.
- Impact / Full Takeover: The attacker can now log in to the 9router instance using their newly set credentials, gaining full administrative control and potentially leveraging the previously stolen API keys for further malicious activities.
Impact
The successful exploitation of CVE-2026-55500 leads to severe consequences across multiple domains. Confidentiality is completely breached through the exposure of all stored secrets, including plaintext API keys, OAuth tokens, and OIDC client secrets, which could facilitate lateral movement or access to connected services. Integrity is compromised as attackers can perform a full database replacement with their own controlled data, effectively rewriting all application settings and user credentials. This allows for persistent control and unauthorized modifications. Furthermore, availability can be impacted if an attacker chooses to import an empty or malformed database, leading to a denial of service for the 9router application. This vulnerability enables a complete system takeover.
Recommendation
- Patch Immediately: Upgrade 9router to a version greater than 0.4.71 to address CVE-2026-55500.
- Implement Strong Authentication: Ensure that highly sensitive endpoints like
/api/settings/databaserequire multi-factor authentication or re-authentication with current credentials, not just an existing session. - Deploy Sigma Rules: Deploy the provided Sigma rule to your SIEM to detect attempts to access the
/api/settings/databaseendpoint and investigate any alerts. - Review Logs: Audit webserver access logs for
http://localhost:20128/api/settings/database(or your production URL) for any suspicious GET or POST requests. - Rotate Credentials: Immediately rotate all API keys, OAuth tokens, and other secrets if an instance of 9router was running a vulnerable version.
Detection coverage 1
Detects CVE-2026-55500 Exploitation — 9routers Database Export/Import
highDetects exploitation attempts against CVE-2026-55500 in 9routers, where an authenticated attacker accesses the sensitive /api/settings/database endpoint to export or import database content.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
url
| Type | Value |
|---|---|
| url | http://localhost:20128/api/settings/database |