GHSA-QVFM-67H2-2QFX
Vulnerability from github – Published: 2026-07-06 21:37 – Updated: 2026-07-06 21:37Summary
The /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. Combined with other vulnerabilities (e.g., default password, tunnel exposure), this enables complete database takeover.
Description
The endpoint /api/settings/database is listed in ALWAYS_PROTECTED in dashboardGuard.js (line 42), which requires a valid JWT token or CLI token. However, this protection is insufficient because:
-
GET (Export): Returns the complete database including API keys (
keyfield inapiKeystable), OAuth tokens, and all provider credentials. Line 80 insrc/lib/db/index.js:apiKeys: db.all("SELECT * FROM apiKeys").map(...)— thekeyfield contains the plaintext API key value. -
POST (Import): Accepts arbitrary JSON and performs a complete database wipe-and-replace in a transaction (lines 102-163 in
src/lib/db/index.js). This replaces all settings including the password hash, effectively allowing an attacker to set their own password. -
The exported data includes
apiKeyswith their plaintextkeyvalues,providerConnectionswith all OAuth tokens, andsettingswith OIDC client secrets.
Evidence
File: src/app/api/settings/database/route.js
export async function GET() {
const payload = await exportDb();
return NextResponse.json(payload);
}
export async function POST(request) {
const payload = await request.json();
await importDb(payload);
// ...
}
File: src/lib/db/index.js (lines 96-163)
export async function importDb(payload) {
db.transaction(() => {
// Wipe all tables
db.run(`DELETE FROM settings`);
db.run(`DELETE FROM providerConnections`);
db.run(`DELETE FROM providerNodes`);
db.run(`DELETE FROM proxyPools`);
db.run(`DELETE FROM apiKeys`);
db.run(`DELETE FROM combos`);
db.run(`DELETE FROM kv WHERE scope IN (...)`);
// Then insert attacker-controlled data
// ...
});
}
The exportDb function at line 80 exposes API key plaintext:
apiKeys: db.all(`SELECT * FROM apiKeys`).map((r) => ({
id: r.id, key: r.key, name: r.name, ...
})),
Steps to Reproduce
- Authenticate with any valid JWT (e.g., using the default password "123456")
- Export:
curl -b auth_token=<jwt> http://localhost:20128/api/settings/database - Observe: Full database dump with all credentials in plaintext
- Import malicious data:
curl -X POST -b auth_token=<jwt> -H "Content-Type: application/json" -d '<modified-db>' http://localhost:20128/api/settings/database - All settings, passwords, API keys are now replaced with attacker-controlled values
Impact
- Confidentiality: Complete exposure of all stored secrets (API keys, OAuth tokens, OIDC client secrets)
- Integrity: Complete database replacement with attacker-controlled data
- Availability: Database wipe is possible by importing an empty database
- Scope Changed: Importing new settings affects all users and downstream services
Recommended Fix
- Require re-authentication for database export/import (not just an existing session)
- Mask/redact API keys in export (or require explicit opt-in for key export)
- Add confirmation step for import (require current password verification)
- Implement database backup before import
- Log all export/import operations with audit trail
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "9router"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.71"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55500"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:37:49Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nThe `/api/settings/database` endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the `ALWAYS_PROTECTED` middleware check, which only validates JWT or CLI token. Combined with other vulnerabilities (e.g., default password, tunnel exposure), this enables complete database takeover.\n\n## Description\n\nThe endpoint `/api/settings/database` is listed in `ALWAYS_PROTECTED` in `dashboardGuard.js` (line 42), which requires a valid JWT token or CLI token. However, this protection is insufficient because:\n\n1. **GET (Export):** Returns the complete database including API keys (`key` field in `apiKeys` table), OAuth tokens, and all provider credentials. Line 80 in `src/lib/db/index.js`: `apiKeys: db.all(\"SELECT * FROM apiKeys\").map(...)` \u2014 the `key` field contains the plaintext API key value.\n\n2. **POST (Import):** Accepts arbitrary JSON and performs a complete database wipe-and-replace in a transaction (lines 102-163 in `src/lib/db/index.js`). This replaces all settings including the password hash, effectively allowing an attacker to set their own password.\n\n3. The exported data includes `apiKeys` with their plaintext `key` values, `providerConnections` with all OAuth tokens, and `settings` with OIDC client secrets.\n\n### Evidence\n\n**File:** `src/app/api/settings/database/route.js`\n```javascript\nexport async function GET() {\n const payload = await exportDb();\n return NextResponse.json(payload);\n}\n\nexport async function POST(request) {\n const payload = await request.json();\n await importDb(payload);\n // ...\n}\n```\n\n**File:** `src/lib/db/index.js` (lines 96-163)\n```javascript\nexport async function importDb(payload) {\n db.transaction(() =\u003e {\n // Wipe all tables\n db.run(`DELETE FROM settings`);\n db.run(`DELETE FROM providerConnections`);\n db.run(`DELETE FROM providerNodes`);\n db.run(`DELETE FROM proxyPools`);\n db.run(`DELETE FROM apiKeys`);\n db.run(`DELETE FROM combos`);\n db.run(`DELETE FROM kv WHERE scope IN (...)`);\n // Then insert attacker-controlled data\n // ...\n });\n}\n```\n\nThe `exportDb` function at line 80 exposes API key plaintext:\n```javascript\napiKeys: db.all(`SELECT * FROM apiKeys`).map((r) =\u003e ({ \n id: r.id, key: r.key, name: r.name, ...\n})),\n```\n\n## Steps to Reproduce\n\n1. Authenticate with any valid JWT (e.g., using the default password \"123456\")\n2. Export: `curl -b auth_token=\u003cjwt\u003e http://localhost:20128/api/settings/database`\n3. Observe: Full database dump with all credentials in plaintext\n4. Import malicious data: `curl -X POST -b auth_token=\u003cjwt\u003e -H \"Content-Type: application/json\" -d \u0027\u003cmodified-db\u003e\u0027 http://localhost:20128/api/settings/database`\n5. All settings, passwords, API keys are now replaced with attacker-controlled values\n\n## Impact\n\n- **Confidentiality:** Complete exposure of all stored secrets (API keys, OAuth tokens, OIDC client secrets)\n- **Integrity:** Complete database replacement with attacker-controlled data\n- **Availability:** Database wipe is possible by importing an empty database\n- **Scope Changed:** Importing new settings affects all users and downstream services\n\n## Recommended Fix\n\n1. Require re-authentication for database export/import (not just an existing session)\n2. Mask/redact API keys in export (or require explicit opt-in for key export)\n3. Add confirmation step for import (require current password verification)\n4. Implement database backup before import\n5. Log all export/import operations with audit trail",
"id": "GHSA-qvfm-67h2-2qfx",
"modified": "2026-07-06T21:37:49Z",
"published": "2026-07-06T21:37:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx"
},
{
"type": "PACKAGE",
"url": "https://github.com/decolua/9router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.