Skip to content
Threat Feed
critical advisory

CVE-2026-59801: 9Router Unauthenticated API Access Vulnerability

A critical unauthenticated access vulnerability, CVE-2026-59801, in 9Router versions up to 0.4.41 allows remote attackers to bypass authentication on provider management API endpoints, enabling them to enumerate, create, modify, or delete connections, leading to credential exposure, AI traffic redirection, or complete denial of service.

The NVD advisory details CVE-2026-59801, a critical unauthenticated access vulnerability affecting 9Router through version 0.4.41. This flaw stems from missing authentication middleware in the Next.js API routes located under src/app/api/providers/*. Remote attackers can exploit this by sending requests to these endpoints without any credentials. This direct interaction allows them to enumerate, create, modify, or delete crucial provider connections. The vulnerability, rated with a CVSS v3.1 base score of 9.8, enables threat actors to expose sensitive partial credentials, OAuth tokens, and API keys. Furthermore, it allows for the redirection of AI traffic to attacker-controlled infrastructure or can cause a complete denial of service by deleting all existing provider connections, posing a severe risk to affected systems.

Attack Chain

  1. An attacker identifies a vulnerable 9Router instance running a version equal to or older than 0.4.41.
  2. The attacker crafts unauthenticated HTTP requests targeting the susceptible provider management API endpoints under src/app/api/providers/*.
  3. The attacker sends these requests without providing any credentials or authentication tokens.
  4. Due to the missing authentication middleware, the 9Router application processes these requests.
  5. The attacker interacts with the API to enumerate existing provider connections, create new ones, modify configurations, or delete them.
  6. Through these interactions, the attacker obtains sensitive partial credentials, OAuth tokens, and API keys.
  7. The attacker leverages access to redirect AI traffic to their controlled servers or delete all provider connections, leading to complete denial of service.

Impact

Successful exploitation of CVE-2026-59801 can lead to significant data breaches and operational disruption. Attackers can gain access to sensitive authentication materials such as partial credentials, OAuth tokens, and API keys, which can then be used for further lateral movement or access to other systems. The ability to redirect AI traffic to attacker-controlled servers could lead to data exfiltration, manipulation of AI model behavior, or phishing campaigns. The most severe impact is the potential for complete denial of service, where all provider connections are deleted, crippling the functionality of the 9Router instance and any dependent services. Given the CVSS v3.1 base score of 9.8, the vulnerability presents a critical risk, allowing unauthenticated attackers to cause high-severity impacts on confidentiality, integrity, and availability.

Recommendation

  • Patch CVE-2026-59801 by upgrading 9Router to a version beyond 0.4.41 immediately.
  • Deploy the Sigma rule "Detects CVE-2026-59801 Exploitation - Unauthenticated Access to 9Router Provider API" to your SIEM and tune for your environment to identify suspicious access patterns to /api/providers/* endpoints.
  • Enable comprehensive web server logging to capture cs-uri-stem, cs-uri-query, cs-method, and sc-status for all HTTP requests to 9Router instances.

Detection coverage 1

Detects CVE-2026-59801 Exploitation - Unauthenticated Access to 9Router Provider API

critical

Detects HTTP requests targeting 9Router's provider management API endpoints (`/api/providers/*`), which are vulnerable to unauthenticated access via CVE-2026-59801. Any successful or attempted access to these paths by unauthenticated users is suspicious.

sigma tactics: credential_access, impact, initial_access techniques: T1190, T1499, T1552 sources: webserver

Detection queries are available on the platform. Get full rules →