Missing Authorization Affecting 9router package, versions <0.5.15


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-9ROUTER-17875082
  • published7 Jul 2026
  • disclosed6 Jul 2026
  • creditnewnol

Introduced: 6 Jul 2026

New CVE NOT AVAILABLE CWE-306  (opens in a new tab)
CWE-862  (opens in a new tab)

How to fix?

Upgrade 9router to version 0.5.15 or higher.

Overview

9router is a 9Router CLI - Start and manage 9Router server

Affected versions of this package are vulnerable to Missing Authorization due to missing authentication checks on several API endpoints, including /api/providers, /api/usage/stats, /api/usage/request-logs, and /api/usage/request-details. An attacker can gain unauthorized access to sensitive information such as API keys, OAuth tokens, account IDs, email addresses, and full conversation histories, as well as perform unauthorized actions like creating, modifying, or deleting provider connections by sending crafted requests to these endpoints.

CVSS Base Scores

version 4.0
version 3.1