PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62327 decolua CVE debrief

CVE-2026-62327 is an unauthenticated information disclosure vulnerability in 9Router through version 0.4.41. The vulnerability allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata. This enables unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion. Users of 9Router through version 0.4.41 should be aware of this vulnerability and take immediate action to secure their installations.

Vendor
decolua
Product
9Router
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of 9Router through version 0.4.41, AI provider account holders and administrators, and security teams should be aware of this vulnerability and take immediate action to secure their installations and monitor for potential unauthorized activity.

Technical summary

The vulnerability is caused by a missing authentication middleware on the Next.js API route /api/usage/stats. This allows unauthenticated attackers to access sensitive information, including plaintext API keys for all connected AI provider accounts. The API keys are exposed alongside token counts, cost breakdowns, and request metadata. The vulnerability affects 9Router through version 0.4.41 and enables unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion.

Defensive priority

High

Recommended defensive actions

  • Immediately update 9Router to a version that includes authentication middleware for the /api/usage/stats endpoint
  • Rotate all API keys for connected AI provider accounts
  • Monitor AI provider account activity for unauthorized usage
  • Implement additional security measures, such as IP restrictions or rate limiting, for the /api/usage/stats endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-13T22:16:52.403Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability beyond the initial CVE record and NVD entry. Defenders should verify the accuracy of the information and be cautious of potential changes in the vulnerability details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:52.403Z and has not been modified since then.