CVE-2026-55500
Received Received - Intake

Unauthenticated Database Export and Import in 9Router

Vulnerability report for CVE-2026-55500, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
decolua 9router to 0.4.80 (exc)
decolua 9router 0.4.80
9router 9router to 0.4.80 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55500 is a critical vulnerability in the 9router npm package (versions up to 0.4.71) that allows attackers to fully export and import the router's database without proper authentication.

The vulnerable endpoint, /api/settings/database, permits unauthenticated access beyond a basic middleware check that only validates JWT or CLI tokens, which is insufficient.

This allows attackers to export the entire database containing sensitive information such as credentials, API keys, OAuth tokens, and settings in plaintext.

Attackers can also import malicious data to completely overwrite the database, including password hashes, enabling them to take full control over all user accounts and downstream services.

Impact Analysis

This vulnerability can lead to a complete compromise of the 9router system.

  • Attackers can steal all credentials, API keys, OAuth tokens, and other sensitive data stored in the database.
  • They can overwrite the entire database, including password hashes, allowing them to set their own passwords and gain full administrative control.
  • This results in loss of confidentiality, integrity, and availability of the system.
  • No privileges or user interaction are required to exploit this vulnerability, making it highly dangerous.
Detection Guidance

This vulnerability can be detected by checking if the /api/settings/database endpoint allows unauthenticated export or import of the database. Specifically, if requests to this endpoint succeed without requiring password verification beyond the JWT or CLI token, the system is vulnerable.

You can test this by sending HTTP requests to the endpoint and observing if the full database export or import is possible without providing the current password.

  • Use curl to attempt a GET request to export the database without a password header: curl -v -X GET https://your-router/api/settings/database
  • Use curl to attempt a POST request to import the database without including the current password in the request body: curl -v -X POST https://your-router/api/settings/database -d '{"data": "malicious_payload"}'

If these requests succeed without password verification, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade 9router to version 0.4.80 or later, where the issue is fixed by enforcing password verification for database export and import operations.

If upgrading is not immediately possible, restrict access to the /api/settings/database endpoint to trusted users or networks only, and monitor logs for any unauthorized export or import attempts.

  • Enforce re-authentication by requiring the current password for export/import operations.
  • Implement backup procedures before performing any database operations.
  • Enable logging of all database export/import operations for audit trails.
Compliance Impact

This vulnerability allows unauthenticated attackers to export and import the entire database, which contains all credentials, API keys, OAuth tokens, and sensitive settings. Such exposure and potential manipulation of sensitive personal and authentication data pose a significant risk to confidentiality, integrity, and availability.

Because the vulnerability enables full database compromise, including theft of sensitive credentials and the ability to overwrite data, it can lead to violations of data protection regulations such as GDPR and HIPAA. These regulations require strict controls over access to personal and sensitive data, including authentication, authorization, and audit logging.

The lack of proper authentication and the ability to export sensitive data without adequate protection could result in unauthorized disclosure of personal data, which is a direct compliance failure under GDPR's data confidentiality and breach notification requirements, as well as HIPAA's safeguards for protected health information.

Mitigations introduced in version 0.4.80, such as enforcing re-authentication for export/import operations, masking sensitive data in exports, adding confirmation steps, and logging all operations for audit trails, help align the software with compliance requirements by reducing the risk of unauthorized access and providing accountability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart