CVE-2026-62328
9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints
CVSS Score
7.5
EPSS Score
0.4%
EPSS Percentile
29th
9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.
| CWE | CWE-862 CWE-359 |
| Vendor | decolua |
| Product | 9router |
| Published | Jul 13, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for decolua 9router
Be the first to know when new high vulnerabilities affecting decolua 9router are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
decolua / 9Router
0 ≤ 0.4.41
References
Credits
🔍 Ngô Tấn Tài (@newnol)