PatchSiren cyber security CVE debrief
CVE-2026-62327 decolua CVE debrief
CVE-2026-62327 is an unauthenticated information disclosure vulnerability in 9Router through version 0.4.41. The vulnerability allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata. This enables unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion. Users of 9Router through version 0.4.41 should be aware of this vulnerability and take immediate action to secure their installations.
- Vendor
- decolua
- Product
- 9Router
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of 9Router through version 0.4.41, AI provider account holders and administrators, and security teams should be aware of this vulnerability and take immediate action to secure their installations and monitor for potential unauthorized activity.
Technical summary
The vulnerability is caused by a missing authentication middleware on the Next.js API route /api/usage/stats. This allows unauthenticated attackers to access sensitive information, including plaintext API keys for all connected AI provider accounts. The API keys are exposed alongside token counts, cost breakdowns, and request metadata. The vulnerability affects 9Router through version 0.4.41 and enables unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion.
Defensive priority
High
Recommended defensive actions
- Immediately update 9Router to a version that includes authentication middleware for the /api/usage/stats endpoint
- Rotate all API keys for connected AI provider accounts
- Monitor AI provider account activity for unauthorized usage
- Implement additional security measures, such as IP restrictions or rate limiting, for the /api/usage/stats endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T22:16:52.403Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability beyond the initial CVE record and NVD entry. Defenders should verify the accuracy of the information and be cautious of potential changes in the vulnerability details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:52.403Z and has not been modified since then.