🔐 CVE Alert

CVE-2026-62328

HIGH 7.5

9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints

CVSS Score
7.5
EPSS Score
0.4%
EPSS Percentile
29th

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.

CWE CWE-862 CWE-359
Vendor decolua
Product 9router
Published Jul 13, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for decolua 9router

Be the first to know when new high vulnerabilities affecting decolua 9router are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

decolua / 9Router
0 ≤ 0.4.41

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86 vulncheck.com: https://www.vulncheck.com/advisories/9router-unauthenticated-information-disclosure-via-api-usage-endpoints

Credits

🔍 Ngô Tấn Tài (@newnol)