CVE-2026-62328

Source
https://cve.org/CVERecord?id=CVE-2026-62328
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62328.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-62328
Aliases
Published
2026-07-13T21:37:52.094Z
Modified
2026-07-17T03:41:43.565960042Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints
Details

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.

Database specific
{
    "cwe_ids": [
        "CWE-359",
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/62xxx/CVE-2026-62328.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/decolua/9router

Affected ranges

Type
GIT
Repo
https://github.com/decolua/9router
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.41"
        },
        {
            "introduced": "9Router"
        },
        {
            "fixed": "0.4.41"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v0.*
v0.2.21
v0.2.27
v0.2.31
v0.2.36
v0.2.43
v0.2.52
v0.2.56
v0.2.67
v0.2.70
v0.2.71
v0.2.79
v0.2.89
v0.3.17
v0.3.34
v0.3.42
v0.3.47
v0.3.75
v0.3.83
v0.3.86
v0.3.87
v0.3.89
v0.3.90
v0.3.91
v0.3.97
v0.3.98
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.13
v0.4.14
v0.4.16
v0.4.18
v0.4.19
v0.4.2
v0.4.20
v0.4.25
v0.4.27
v0.4.28
v0.4.29
v0.4.3
v0.4.30
v0.4.31
v0.4.33
v0.4.36
v0.4.37
v0.4.38
v0.4.39
v0.4.4
v0.4.6
v0.4.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62328.json"