{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/9router--0.4.42/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-62328"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["9Router (\u003c 0.4.42)"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["9Router"],"content_html":"\u003cp\u003eA critical unauthenticated information disclosure vulnerability, tracked as CVE-2026-62328, affects 9Router software versions up to and including 0.4.41. Remote attackers can exploit this flaw to gain unauthorized access to sensitive user data, including complete AI conversation histories and associated user email addresses. The vulnerability stems from a lack of authentication middleware on specific API endpoints, namely \u003ccode\u003e/request-logs\u003c/code\u003e and \u003ccode\u003e/request-details\u003c/code\u003e. This allows unauthenticated users to enumerate paginated request logs and then retrieve detailed AI conversation data, such as system prompts, user messages, assistant responses, and tool calls. This exposure of sensitive data poses a significant privacy and security risk to users of affected 9Router installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker discovers an internet-accessible 9Router instance running an affected version (0.4.41 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker sends an unauthenticated HTTP GET request to the \u003ccode\u003e/request-logs\u003c/code\u003e API endpoint (e.g., \u003ccode\u003eGET /request-logs\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable 9Router instance responds with paginated request logs, which include \u003ccode\u003erequestId\u003c/code\u003e values for past conversations, due to the lack of proper authentication controls.\u003c/li\u003e\n\u003cli\u003eAttacker parses the received logs to extract valid \u003ccode\u003erequestId\u003c/code\u003e values associated with user interactions.\u003c/li\u003e\n\u003cli\u003eAttacker crafts and sends subsequent unauthenticated HTTP GET requests to the \u003ccode\u003e/request-details\u003c/code\u003e API endpoint, appending an extracted \u003ccode\u003erequestId\u003c/code\u003e as a query parameter (e.g., \u003ccode\u003eGET /request-details?requestId=ABC-123\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe 9Router instance, still lacking authentication middleware for this endpoint, responds with the complete AI conversation history corresponding to the \u003ccode\u003erequestId\u003c/code\u003e. This data includes system prompts, user messages, assistant responses, tool calls, and associated user email addresses.\u003c/li\u003e\n\u003cli\u003eAttacker continuously queries various \u003ccode\u003erequestId\u003c/code\u003e values to collect a large volume of sensitive user data, leading to unauthorized data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-62328 leads to the unauthorized disclosure of highly sensitive user information. Attackers can retrieve full AI conversation histories, including private discussions, proprietary system prompts, and detailed interactions between users and the AI. Crucially, user email addresses are also exposed, increasing the risk of targeted phishing, identity theft, or further malicious activities. The number of potential victims corresponds to the user base of affected 9Router instances, with the scope of data exposure depending on the volume of logged requests. The core damage involves a severe breach of data confidentiality and user privacy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62328 immediately by upgrading 9Router to version 0.4.42 or later.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect attempts to access the vulnerable API endpoints.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging for HTTP requests, particularly for \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-method\u003c/code\u003e, to activate the detection rules.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for any unauthenticated or suspicious GET requests to \u003ccode\u003e/request-logs\u003c/code\u003e or \u003ccode\u003e/request-details\u003c/code\u003e from external IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T22:32:50Z","date_published":"2026-07-13T22:32:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-9router-info-disclosure/","summary":"An unauthenticated information disclosure vulnerability in 9Router through version 0.4.41 allows remote attackers to access sensitive user data by querying unprotected API endpoints like `/request-logs` and `/request-details` to enumerate paginated request logs and retrieve complete AI conversation histories, including system prompts, user messages, assistant responses, tool calls, and user email addresses, due to a lack of authentication middleware.","title":"9Router Unauthenticated Information Disclosure (CVE-2026-62328)","url":"https://feed.craftedsignal.io/briefs/2026-07-9router-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - 9Router (\u003c 0.4.42)","version":"https://jsonfeed.org/version/1.1"}