<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>9Router (&lt; 0.4.42) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/9router--0.4.42/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 22:32:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/9router--0.4.42/feed.xml" rel="self" type="application/rss+xml"/><item><title>9Router Unauthenticated Information Disclosure (CVE-2026-62328)</title><link>https://feed.craftedsignal.io/briefs/2026-07-9router-info-disclosure/</link><pubDate>Mon, 13 Jul 2026 22:32:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-9router-info-disclosure/</guid><description>An unauthenticated information disclosure vulnerability in 9Router through version 0.4.41 allows remote attackers to access sensitive user data by querying unprotected API endpoints like `/request-logs` and `/request-details` to enumerate paginated request logs and retrieve complete AI conversation histories, including system prompts, user messages, assistant responses, tool calls, and user email addresses, due to a lack of authentication middleware.</description><content:encoded><![CDATA[<p>A critical unauthenticated information disclosure vulnerability, tracked as CVE-2026-62328, affects 9Router software versions up to and including 0.4.41. Remote attackers can exploit this flaw to gain unauthorized access to sensitive user data, including complete AI conversation histories and associated user email addresses. The vulnerability stems from a lack of authentication middleware on specific API endpoints, namely <code>/request-logs</code> and <code>/request-details</code>. This allows unauthenticated users to enumerate paginated request logs and then retrieve detailed AI conversation data, such as system prompts, user messages, assistant responses, and tool calls. This exposure of sensitive data poses a significant privacy and security risk to users of affected 9Router installations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker discovers an internet-accessible 9Router instance running an affected version (0.4.41 or earlier).</li>
<li>Attacker sends an unauthenticated HTTP GET request to the <code>/request-logs</code> API endpoint (e.g., <code>GET /request-logs</code>).</li>
<li>The vulnerable 9Router instance responds with paginated request logs, which include <code>requestId</code> values for past conversations, due to the lack of proper authentication controls.</li>
<li>Attacker parses the received logs to extract valid <code>requestId</code> values associated with user interactions.</li>
<li>Attacker crafts and sends subsequent unauthenticated HTTP GET requests to the <code>/request-details</code> API endpoint, appending an extracted <code>requestId</code> as a query parameter (e.g., <code>GET /request-details?requestId=ABC-123</code>).</li>
<li>The 9Router instance, still lacking authentication middleware for this endpoint, responds with the complete AI conversation history corresponding to the <code>requestId</code>. This data includes system prompts, user messages, assistant responses, tool calls, and associated user email addresses.</li>
<li>Attacker continuously queries various <code>requestId</code> values to collect a large volume of sensitive user data, leading to unauthorized data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-62328 leads to the unauthorized disclosure of highly sensitive user information. Attackers can retrieve full AI conversation histories, including private discussions, proprietary system prompts, and detailed interactions between users and the AI. Crucially, user email addresses are also exposed, increasing the risk of targeted phishing, identity theft, or further malicious activities. The number of potential victims corresponds to the user base of affected 9Router instances, with the scope of data exposure depending on the volume of logged requests. The core damage involves a severe breach of data confidentiality and user privacy.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-62328 immediately by upgrading 9Router to version 0.4.42 or later.</li>
<li>Deploy the provided Sigma rules to your SIEM to detect attempts to access the vulnerable API endpoints.</li>
<li>Enable comprehensive web server logging for HTTP requests, particularly for <code>cs-uri-stem</code> and <code>cs-method</code>, to activate the detection rules.</li>
<li>Review web server access logs for any unauthenticated or suspicious GET requests to <code>/request-logs</code> or <code>/request-details</code> from external IP addresses.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>information-disclosure</category><category>vulnerability</category><category>web-application</category></item></channel></rss>