External risk intelligence

9Router Unauthenticated API Key Exposure Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-62327

The vulnerability exists in a web API route (/api/usage/stats) of a router-related application. Applications providing API management, usage statistics, or routing functionality are commonly deployed as network-accessible services or web applications, making this endpoint frequently reachable over the network in standard deployment patterns.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in 9Router software, which could allow unauthorized remote access to sensitive API keys for connected AI provider accounts. Successful exploitation could lead to misuse of these accounts, billing fraud, or exhaustion of service quotas. The primary concern is to confirm if this specific software is in use and if it is exposed in a way that could be targeted.

  • Unauthenticated exposure of AI API keys.
  • Prevents unauthorized AI account access.
  • Confirm exposure and relevance.

Attack Path

How an attacker could exploit the issue

An attacker can access sensitive information by sending a single unauthenticated request to a specific API endpoint on the 9Router application. This allows them to retrieve plaintext API keys for all connected AI provider accounts, along with usage details. The vulnerability stems from missing authentication checks on the Next.js API route, which attackers can leverage to gain unauthorized access to these accounts.

  • No authentication is required.
  • Requesting the `/api/usage/stats` endpoint triggers it.
  • Risk of unauthorized AI account use and fraud.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated remote attackers to obtain plaintext API keys for connected AI provider accounts. This exposure is possible when the affected API route is accessible over the network.

  • AI provider API keys.
  • Unauthenticated requests to an API endpoint.
  • Unauthorized use of AI services.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability impacts applications using the affected router technology, likely managed by platform or application owners. The immediate priority is to locate all instances of this technology, confirm their network exposure and business criticality, and identify the accountable owners. A risk-based remediation plan should then be developed collaboratively.

  • Identify affected technology deployment instances.
  • Verify network exposure and business criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is 9Router software?

9Router is a software application designed for routing, frequently used to manage and bridge connectivity between different services. It acts as an integration layer for AI providers, allowing users to centralize their API keys to manage usage, monitor request metadata, and track costs within a single administrative interface.

What does CVE-2026-62327 mean?

This CVE identifies a security weakness classified as Missing Authentication for Critical Function and Insufficiently Protected Credentials. In plain English, the software fails to verify user identity before granting access to sensitive data, specifically allowing anyone to read plaintext API keys intended for connected AI accounts.

How is this vulnerability triggered?

An attacker triggers this flaw by sending a single, unauthenticated web request to the /api/usage/stats endpoint. Simply navigating to or querying this specific route is sufficient to bypass security. Notably, the bug is not triggered by actions requiring legitimate credentials; rather, it is the complete absence of authentication middleware that makes the data accessible.

Is my instance relevant to this threat?

According to Halo Surface Signal, this vulnerability is considered highly relevant for network-accessible deployments. Because the affected endpoint is a web-based service typically used for routing or API management, any 9Router instance reachable over a public or internal network is a potential target for unauthorized data retrieval.

How should I respond to this 9Router alert?

Start by identifying all instances of 9Router within your environment. Once located, verify the network accessibility of each deployment to determine if the API route is exposed. Engage the platform or application owners immediately to discuss disabling access to the vulnerable endpoint or planning a remediation path to address the authentication gap.

References