GHSA-vjc7-jrh9-9j86: 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Summary
9Router (a Next.js dashboard for routing AI requests) contains multiple critical vulnerabilities in versions 0.4.41 and earlier. The `/api/providers` endpoints lack authentication, allowing anyone to create, modify, or delete AI provider connections, while `/api/usage/stats` exposes full API keys (secret credentials used to access AI services) in plaintext, and `/api/usage/request-details` leaks other users' complete conversation histories without requiring a password or login.
Classification
Affected Vendors
Affected Packages
Related Issues
GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
Original source: https://github.com/advisories/GHSA-vjc7-jrh9-9j86
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%