COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-59801

CVE-2026-59801

Severity
critical
Source
NVD · cve
Published
2026-07-13
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-59801
shame 45/100 unpatcheddata-breach

9Router versions <=0.4.41 allow unauthenticated remote access to provider management APIs, exposing OAuth tokens and API keys.

This critical vulnerability enables attackers to enumerate, modify, or delete provider connections without credentials, potentially exposing sensitive OAuth tokens and API keys. DIB organizations must audit their supply chain for affected 9Router components and apply patches immediately to prevent unauthorized access to provider credentials.

Shame score — Unauthenticated access to provider management APIs exposes credentials but does not directly enable remote code execution.

Description

9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.