CVE-2026-55500

CRITICALPre-NVD 9.99.9
EchelonGraph scoreHIGH confidence

Score 9.9 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-06. the CNA's CVSS baseline 9.9; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
9.9
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.9Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover

Summary

The /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. Combined with other vulnerabilities (e.g., default password, tunnel exposure), this enables complete database takeover.

Description

The endpoint /api/settings/database is listed in ALWAYS_PROTECTED in dashboardGuard.js (line 42), which requires a valid JWT token or CLI token. However, this protection is insufficient because:

  • GET (Export): Returns the complete database including API keys (key field in apiKeys table), OAuth tokens, and all provider credentials. Line 80 in src/lib/db/index.js: apiKeys: db.all("SELECT * FROM apiKeys").map(...) — the key field contains the plaintext API key value.
  • POST (Import): Accepts arbitrary JSON and performs a complete database wipe-and-replace in a transaction (lines 102-163 in src/lib/db/index.js). This replaces all settings including the password hash, effectively allowing an attacker to set their own password.
  • The exported data includes apiKeys with their plaintext key values, providerConnections with all OAuth tokens, and settings with OIDC client secrets.

Evidence

File: src/app/api/settings/database/route.js

export async function GET() {
  const payload = await exportDb();
  return NextResponse.json(payload);
}

export async function POST(request) { const payload = await request.json(); await importDb(payload); // ... }

File: src/lib/db/index.js (lines 96-163)

export async function importDb(payload) {
  db.transaction(() => {
    // Wipe all tables
    db.run(DELETE FROM settings);
    db.run(DELETE FROM providerConnections);
    db.run(DELETE FROM providerNodes);
    db.run(DELETE FROM proxyPools);
    db.run(DELETE FROM apiKeys);
    db.run(DELETE FROM combos);
    db.run(DELETE FROM kv WHERE scope IN (...));
    // Then insert attacker-controlled data
    // ...
  });
}

The exportDb function at line 80 exposes API key plaintext:

apiKeys: db.all(SELECT * FROM apiKeys).map((r) => ({ 
  id: r.id, key: r.key, name: r.name, ...
})),

Steps to Reproduce

  • Authenticate with any valid JWT (e.g., using the default password "123456")
  • Export: curl -b auth_token= http://localhost:20128/api/settings/database
  • Observe: Full database dump with all credentials in plaintext
  • Import malicious data: curl -X POST -b auth_token= -H "Content-Type: application/json" -d '' http://localhost:20128/api/settings/database
  • All settings, passwords, API keys are now replaced with attacker-controlled values

Impact

  • Confidentiality: Complete exposure of all stored secrets (API keys, OAuth tokens, OIDC client secrets)
  • Integrity: Complete database replacement with attacker-controlled data
  • Availability: Database wipe is possible by importing an empty database
  • Scope Changed: Importing new settings affects all users and downstream services

Recommended Fix

  • Require re-authentication for database export/import (not just an existing session)
  • Mask/redact API keys in export (or require explicit opt-in for key export)
  • Add confirmation step for import (require current password verification)
  • Implement database backup before import
  • Log all export/import operations with audit trail

CVSS v3
9.9
EG Score
9.9(high)
EPSS
KEV
Not listed

Published

July 6, 2026

Last Modified

July 6, 2026

Vendor Advisories for CVE-2026-55500(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
npm9routerghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 4× in last 7d / 4× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 02:39 UTCEG score recompute
  2. 2026-07-07 02:39 UTCGHSA enrichment
  3. 2026-07-06 22:35 UTCEG score recompute
  4. 2026-07-06 22:35 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-55500?
CVE-2026-55500 is a critical vulnerability published on July 6, 2026. 9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover Summary The /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full…
When was CVE-2026-55500 disclosed?
CVE-2026-55500 was first published in the National Vulnerability Database on July 6, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-55500?
CVE-2026-55500 has a CVSS v4.0 base score of 9.9 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-55500?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55500, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-55500

Explore →

Is Your Infrastructure Affected by CVE-2026-55500?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.