{"data":{"id":"5d1ab7ff-0ffb-4c04-b190-ae711f3368dc","title":"GHSA-vjc7-jrh9-9j86: 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats","summary":"9Router (a Next.js dashboard for routing AI requests) contains multiple critical vulnerabilities in versions 0.4.41 and earlier. The `/api/providers` endpoints lack authentication, allowing anyone to create, modify, or delete AI provider connections, while `/api/usage/stats` exposes full API keys (secret credentials used to access AI services) in plaintext, and `/api/usage/request-details` leaks other users' complete conversation histories without requiring a password or login.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-vjc7-jrh9-9j86","publishedAt":"2026-07-06T21:22:10.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["pii_leakage","data_extraction"],"issueType":"vulnerability","affectedPackages":["9router@<= 0.4.41"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["9Router","OpenAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-07-06T21:22:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}