Lucene search
K

8 matches found

NVD
NVD
added yesterday5 views

CVE-2026-55641

9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this...

8.2CVSS
Exploits0References3
NVD
NVD
added yesterday4 views

CVE-2026-55638

9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/ to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/ to bypass the API-k...

8.6CVSS
Exploits0References3
Cvelist
Cvelist
added yesterday8 views

CVE-2026-55638 9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass

9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/ to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/ to bypass the API-k...

8.6CVSS
Exploits0References3
CVE
CVE
added yesterday5 views

CVE-2026-55641

9router (affected component: /v1 LLM proxy logic) had an unauthenticated bypass due to client-controlled Host header processing before version 0.5.2. This allowed a remote attacker to craft Host: localhost to bypass API-key checks, potentially enabling upstream provider calls with stored credenti...

8.2CVSS6.1AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/18 7:58 p.m.13 views

CVE-2026-45339

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...

6.5CVSS5.8AI score0.00309EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:54 a.m.7 views

CVE-2021-41191

Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add @requireapikey in BOT/lib/cogs/website.p...

7.5CVSS6.7AI score0.01327EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2014/03/21 12:0 a.m.18 views

Palo Alto Networks PAN-OS 4.1.x < 4.1.16 / 5.0.x < 5.0.10 / 5.1.x < 5.1.5 API Key Bypass Flaw

The remote host is running a version of Palo Alto Networks PAN-OS prior to 4.1.16 / 5.0.10 / 5.1.5. It is, therefore, affected by an API key bypass flaw which allows a remote attacker to bypass the XML API key for a session that has already been authorized. Note that Nessus has not tested for thi...

5.6AI score
Exploits0References1
Palo Alto Networks
Palo Alto Networks
added 2014/01/29 12:0 a.m.11 views

Management API Key Bypass

An XML API key can be bypassed if a session has been authorized. This can be used in a CSRF or XSS attack. Ref 58976...

6.4AI score
Exploits0Affected Software1
Rows per page
Query Builder