9Router flaws leak stored API keys and tokens (CVE-2026-55500 and more)
9Router, a popular AI coding router, has critical flaws (CVE-2026-55500, 9.9) that leak all stored API keys and tokens, plus a 10.0 unauthenticated RCE. Update to v0.4.80+ and don't expose it to the internet.
Table of contents
9Router, a popular AI coding router, has critical flaws (CVE-2026-55500, 9.9) that leak all stored API keys and tokens, plus a 10.0 unauthenticated RCE. Update to v0.4.80+ and don't expose it to the internet.
A string of serious vulnerabilities has been found in "9Router," a popular free tool that intelligently routes coding tools like Claude Code, Cursor, and Cline across multiple AI services, that could let all your saved API keys and tokens be stolen and your server taken over. The central flaw, CVE-2026-55500, lets an attacker export the entire database and carries a severity of 9.9 out of 10. On top of that, a flaw that allows command execution on the server without any login, rated a maximum 10.0, has also been reported.
9Router is a fast-growing tool with over 20,000 GitHub stars, and by its nature it stores the API keys and login tokens for the various AI services its users rely on, all in one place. In other words, if this vault is broken into, an attacker can impersonate the user to run up expensive AI bills, or break into linked accounts. If you run 9Router on your own PC or server (self-hosting), update to the latest version right now, and make sure it is not exposed to the internet.
What is 9Router
9Router is a routing proxy that sits between "AI tools that write code for you" β Claude Code, Cursor, Cline, Copilot β and the AI services that power them behind the scenes (Claude, GPT, Gemini, and 40-plus more). When you hit a usage limit it automatically switches to another free or cheap service, and it compresses the data being sent to cut consumption, promising to let you "use AI coding heavily for free or at low cost." It is free, open-source software that users run on their own PC or server.
The flip side of that convenience is that 9Router stores the API keys (secret keys for using each service) and the OAuth login-linking tokens for the AI services it connects to, all together in its own database. If that is broken into, keys for multiple services leak at once. Relay software that manages many AIs becoming a target is a pattern seen again and again, as with the takeover vulnerability in the similar relay tool LiteLLM and the API-key bypass flaw in the AI platform vLLM.
What is dangerous, and how far can the damage spread
What makes this frightening is that there is not just one flaw, but several severe holes stacked on top of each other. Three stand out. First, a flaw that lets the whole database be exported (CVE-2026-55500, severity 9.9); it contains saved API keys and OAuth tokens in readable (plaintext) form. Second, a flaw that lets commands run on the server without any login (CVE-2026-46339, a maximum rating of 10.0). Third, a flaw that lets authentication be bypassed using a predetermined "shared secret" (CVE-2026-49352, severity 9.8).
These are dangerous on their own, but the damage gets far worse when they combine. For example, using the flaw that bypasses authentication with a shared secret (49352), an outside attacker can reach the database export (55500) that should only be accessible to legitimate users. As a result, every stored key for every service can be carried off wholesale, effectively without any login.
A user whose keys are stolen may be billed heavily for AI services used without their knowledge, or have linked cloud and development-service accounts broken into. 9Router is meant to run only inside your own PC, but if you configure it to be reachable from outside (installing it on a tunnel or VPS, or using cloud sync), these holes can be exploited across the internet. Just like the API-key theft vulnerability in the AI coding tool Cline, the "keyring" in a developer's hands is a classic target.
Who targets these holes, and what happens
The likely exploiters are attackers who steal other people's API keys to offload their own AI bills or resell the stolen keys, and ransomware groups that hijack developers' servers as a foothold for intrusion. Because 9Router gathers keys for multiple services in one place, breaking a single instance yields a big payoff, making it an efficient target for attackers.
The flow of attack goes like this. Attackers hunt down 9Router instances exposed to the internet, get in using the shared secret or an unguarded endpoint, and either export the entire database to extract all the keys, or run their own commands on the server. The more popular a tool, the more instances are deployed, and the easier they are to find with programs that scan automatically.
As a result, targeted users get billed for AI usage they never incurred, or have their keys abused to break into linked services and clouds. "Supply-chain attacks" that spread into organizations through development tools and relay software have been rising in recent years, and just like the case where the LiteLLM package with 95 million monthly downloads was hijacked, the more widely something is used, the bigger the damage. From the standpoint of checking OSS supply-chain dependencies across sources, such relay tools warrant caution.
What is happening from a technical standpoint
Of the flaws reported in quick succession, the three with the largest impact each have an identifier assigned.
CVE-2026-55500: the whole database can be exported, leaking every key (severity 9.9)
9Router has a settings endpoint at /api/settings/database that allows exporting and importing the database. The problem is that the mechanism guarding this endpoint only checked "whether a token is present," not "whether this party is allowed to perform a sensitive operation." As a result, even a low-privilege user can export the entire database, including API keys, OAuth tokens, and OIDC secrets in plaintext. The import side is unguarded too, so an attacker can overwrite the whole database with contents of their choosing. The U.S. National Institute of Standards and Technology (NIST) classifies this as exposure of sensitive information (CWE-200). Affected are versions up to v0.4.71, and NVD cites v0.4.80 as the fix in the vendor's response.
CVE-2026-46339: command execution on the server without any login (maximum rating 10.0)
9Router has endpoints such as /api/cli-tools/ and /api/mcp/ for integrating with external tools. However, the login-requiring mechanism only protected eight predetermined endpoints, leaving these integration endpoints unguarded. Without logging in, an attacker can register a malicious "plugin" (an extension carrying arbitrary commands) and simply call another endpoint to run commands freely on the server. The severity reaches the CVSS ceiling of 10.0. Affected are v0.4.30 through v0.4.36 β a flaw introduced when the external-integration (MCP) feature was added β and it is fixed in v0.4.37. Requiring neither login nor user action, it is the most easily exploited type.
CVE-2026-49352: authentication bypassed with a hardcoded shared secret (severity 9.8, public PoC)
9Router signs the token that proves your login state with a secret phrase (a JWT secret). The problem is that if a user has not set this phrase themselves, a default phrase embedded directly in the program, "9router-default-secret-change-me," is used as-is. Because anyone can learn this string, an attacker can use it to forge a legitimate login token themselves and freely access the dashboard and API. NIST classifies this as use of hardcoded credentials (CWE-798). Affected are v0.2.21 through v0.4.44, and it was fixed in v0.4.45. A proof-of-concept (a sample that reproduces the attack) has already been published, and an older version that leaves this phrase in place can, combined with the earlier database export (55500), have all its keys extracted effectively without any login.
In addition, several problems have been reported in a short span, such as a flaw that bypasses the limit on login attempts (CVE-2026-55501). Across the board, the common cause is weak protection on endpoints that accept external input, with insufficient checks on authentication and authorization.
Affected versions and countermeasures
For each major flaw, the affected and fixed versions are as follows. Because the fix version differs for each, the sure way to resolve them all at once is to update to the latest available version (v0.4.80 or later).
| Identifier | Issue | Severity | Affected | Fixed in |
|---|---|---|---|---|
| CVE-2026-46339 | Unauthenticated command exec (RCE) | 10.0 | 0.4.30β0.4.36 | 0.4.37 |
| CVE-2026-55500 | Full DB export (all keys leak) | 9.9 | β€ 0.4.71 | 0.4.80 |
| CVE-2026-49352 | Auth bypass via default secret | 9.8 | 0.2.21β0.4.44 | 0.4.45 |
Beyond updating, it is important to not expose 9Router to the internet (review any external exposure via tunnel or VPS, or cloud sync), and to set your own strong secret phrase (JWT secret). This kind of tool is safest run only in your local environment; the more you open it up, the easier holes like these are to exploit.
What is confirmed, and what is still unknown
β Confirmed facts
- βThe settings endpoint can export/overwrite the entire database (including plaintext API keys and tokens). Severity 9.9 (NVD)
- βA separate flaw runs commands on the server without any login via unguarded integration endpoints (CVE-2026-46339, 10.0, fixed in 0.4.37) (GitHub Advisory)
- βThe authentication bypass via a default JWT secret (CVE-2026-49352, 9.8, fixed in 0.4.45) has a public proof-of-concept (GitLab Advisory)
? Not yet confirmed
- ?As of publication, there is no official report of these vulnerabilities being exploited at scale in actual attacks
- ?As of publication, they are not listed in the U.S. CISA "Known Exploited Vulnerabilities catalog (KEV)" (you can check the latest KEV status here)
- ?A PoC for the authentication bypass is public, and combined exploitation often begins after disclosure β caution is warranted
What you can do right now
The core countermeasure is clear. The top priority is to update 9Router to the latest available version (v0.4.80 or later). Fixed versions are available on the GitHub releases page. In addition, stop exposing it to the internet and set your own strong secret phrase (JWT secret) to greatly narrow the entry points for exploitation.
Around the time you update, also consider rotating (reissuing) the API keys and tokens you had stored. If you had exposed an old version externally, you cannot rule out that keys have already been extracted. Recreating keys in each AI service's dashboard and revoking the old ones is the safe move. Entrusting your keys to a relay tool is convenient, but if that place is breached the damage spreads all at once β a trait shared with cases like the vulnerability leaking credentials in a networking library.
| Who you are | What you can do now | Priority |
|---|---|---|
| 9Router user | Update to latest, stop external exposure Set a strong JWT secret | Top priority |
| If you exposed it externally | Rotate all API keys and tokens Review suspicious access logs | High |
| Suspect a takeover | Isolate and investigate the server Check linked accounts | High |
Frequently asked questions
Q. Is it dangerous even if I only use 9Router inside my own PC?
A. If you do not expose it to the internet and run it only locally, the chance of being directly targeted from outside is lower. However, the risk of exploitation remains through another malicious program running on the same PC, or through an external-exposure or cloud-sync setting you enabled by accident. The sure thing is to update to the latest version and review your exposure settings.
Q. How do I check my 9Router version?
A. You can check it in 9Router's dashboard or in the version shown at install time. If it is earlier than v0.4.80, it is likely affected by one of these flaws, so obtain and install the latest version from the GitHub releases page.
Q. I'm worried my API keys may already be stolen.
A. If you had exposed an old version externally, we recommend recreating your API keys in each AI service's dashboard and revoking the old ones, just in case. Also check for AI charges you don't recognize, and any suspicious activity on linked accounts.
Q. Is it already being exploited in attacks?
A. As of this article's publication, there is no official report of these vulnerabilities being used at scale in actual attacks, and they are not in CISA's KEV catalog. However, a PoC for the authentication bypass is public and the tool is popular with many deployments, so exploitation is likely to begin after disclosure β caution is warranted.
Summary
This case is about how 9Router, a popular relay tool for using AI coding cheaply, had weak protection on the endpoints that accept external input, so that saved API keys and tokens could be extracted wholesale and the server taken over. The central CVE-2026-55500 is severity 9.9, and it is compounded by a separate maximum-rated 10.0 flaw allowing command execution without login, and an authentication bypass with a public PoC β combined, the damage escalates quickly.
The saving grace is that a fix is available for each. Updating to the latest available version (v0.4.80 or later), not exposing it to the internet, and setting a strong secret phrase closes most entry points. The convenience of keeping keys for multiple AI services in one place carries the inseparable danger that damage concentrates when that place is breached. If you are worried, rotating your keys as well is the safe course. If there is any new sign of exploitation, we will report it again.
References

Makoto Horikawa
Backend Engineer / AWS / Django