Security Audit Report

SECURITY-AUDIT-2026-01-27.pdf

17 findingsScanned Jan 27, 2026

openrouter.ai

App Router

1Crit

10High

6Low

Attack Surface

154

Routes

Query Params

Custom Headers

GET

/_app

GET

/[author]

GET

/[maker-id]/[slug]

GET

/[maker-id]/[slug]/api

?sort

GET

/[maker]/[slug]

GET

/[permaslug]

GET

/[permaslug]/uptime

GET

/[slug]

GET

/[slug]:[variant]

GET

/[slug]:[variant]/[tab]

GET

/[slug]/[tab]

GET

/[variant_permaslug]

GET

/404

GET

/about

POST

/action/set-theme

GET

/activity

GET

/announcements

GET

/announcements/[slug]

GET

/announcements/all

GET

/api

POST

/api/[api]/responses

?api

GET

/api/early_access_features

?stage?token

GET

/api/frontend/all-providers

GET

/api/frontend/author-models

?authorSlug

GET

/api/frontend/endpoint

?permaslug?provider?variant

GET

/api/frontend/llms-full-txt-proxy

GET

/api/frontend/models

GET

/api/frontend/models/find

?arch?categories?context?distillable?fmt?input_modalities?max_price?min_price?model_authors?order?output_modalities?pricing?providers?q?supported_parameters

GET

/api/frontend/provider-filters

GET

/api/frontend/providers

?permaslug?variant

GET

/api/frontend/stats/endpoint

?permaslug?variant

GET

/api/frontend/stats/latency-comparison

?colo?permaslug

GET

/api/frontend/stats/latency-e2e-comparison

?colo?permaslug

GET

/api/frontend/stats/model-activity

?permaslug?variant

GET

/api/frontend/stats/throughput-comparison

?colo?permaslug

GET

/api/frontend/stats/top-apps-for-model

?permaslug?variant

GET

/api/frontend/stats/top-colos-for-model

?permaslug

GET

/api/frontend/stats/uptime-hourly

?id

GET

/api/frontend/stats/uptime-recent

?permaslug

GET

/api/frontend/uptime-graphs

?permaslug?variant

GET

/api/internal/v1/provider-preferences

GET

/api/models/search

POST

/api/subscribe/email

GET

/api/v1

GET

/api/v2/${e}

?_dd.api?_dd.retry_after?_dd.retry_count?application.id?batch_time?dd-api-key?dd-evp-encoding?dd-evp-origin?dd-evp-origin-version?dd-request-id?ddsource

GET

/apps

?url

GET

/billing/plans

?payer_type

GET

/billing/plans/[id]

GET

/careers

GET

/chat

?models

GET

/client

DELETE

/client/sessions

POST

/client/sessions/[id]/end

POST

/client/sessions/[id]/remove

POST

/client/sessions/[id]/tokens

?debug

POST

/client/sessions/[id]/tokens/[template]

?debug

POST

/client/sessions/[id]/touch

POST

/client/sessions/[id]/verify

POST

/client/sessions/[id]/verify/attempt_first_factor

POST

/client/sessions/[id]/verify/attempt_second_factor

POST

/client/sessions/[id]/verify/prepare_first_factor

POST

/client/sessions/[id]/verify/prepare_second_factor

POST

/client/sign_ins

POST

/client/sign_ins/[id]/attempt_first_factor

POST

/client/sign_ins/[id]/attempt_second_factor

POST

/client/sign_ins/[id]/prepare_first_factor

POST

/client/sign_ins/[id]/prepare_second_factor

POST

/client/sign_ups

POST

/client/sign_ups/[id]/attempt_verification

GET

/client/sign_ups/[id]/enterprise_connections

POST

/client/sign_ups/[id]/prepare_verification

GET

/client/touch

?redirect_url

POST

/client/verify

GET

/compare

GET

/compare/[maker]/[slug]

GET

/compare/[maker]/[slug]/[maker]/[slug]

GET

/compare/[maker]/[slug]/[maker]/[slug]/[maker]/[slug]

GET

/confirm

GET

/cron

GET

/docs

GET

/docs/api-reference

GET

/docs/api-reference/overview

GET

/docs/api-reference/parameters

GET

/docs/api/api-reference/endpoints/list-endpoints

GET

/docs/features/multimodal/image-generation

GET

/docs/guides/best-practices/uptime-optimization

GET

/docs/guides/community/frameworks-and-integrations-overview

GET

/docs/guides/features/broadcast

GET

/docs/guides/features/tool-calling

GET

/docs/guides/privacy/logging

GET

/docs/guides/routing/provider-selection

GET

/docs/provider-routing

GET

/docs/quickstart

GET

/docs/requests

GET

/docs/use-cases/reasoning-tokens

GET

/enterprise

POST

/flags

?config?only_evaluate_survey_feature_flags?v

GET

/incidents

GET

/incidents.rss

GET

/incidents/[id]

GET

/index

GET

/ingest

POST

/me/backup_codes

POST

/me/billing/checkouts

GET

/me/billing/payment_attempts

GET

/me/billing/payment_attempts/[id]

GET

/me/billing/statements

GET

/me/billing/statements/[id]

GET

/me/billing/subscription

POST

/me/external_accounts

GET

/me/organization_creation_defaults

DELETE

/me/organization_memberships/[id]

POST

/me/profile_image

POST

/me/sessions/[id]/revoke

GET

/me/sessions/active

POST

/me/totp

POST

/me/totp/attempt_verification

GET

/model/edit/[permaslug]

GET

/models

?order

GET

/models/[slug]

GET

/my-path

POST

/organizations/[orgId]/billing/checkouts

GET

/organizations/[orgId]/billing/payment_attempts

GET

/organizations/[orgId]/billing/payment_attempts/[id]

GET

/organizations/[orgId]/billing/statements

GET

/organizations/[orgId]/billing/statements/[id]

GET

/organizations/[orgId]/billing/subscription

GET

/partners

POST

/payment_methods

DELETE

/payment_methods/[id]

POST

/payment_methods/initialize

GET

/posting-api/job-board/openrouter

?includeCompensation

GET

/pricing

GET

/privacy

GET

/project/[token]/person/[distinct_id]

GET

/provider/[slug]

GET

/providers

GET

/rankings

?category

GET

/sdk

GET

/settings/credits

?utm_source

GET

/settings/integrations

GET

/settings/keys

?utm_source

GET

/settings/preferences

GET

/settings/privacy

GET

/sign-in

GET

/sign-up

GET

/sso-callback

GET

/state-of-ai

GET

/support

GET

/terms

POST

/waitlist

GET

/wrapped/2025

HTTP-Referer

Next-Action

Next-HMR-Refresh

Next-Router-Prefetch

Next-Router-Segment-Prefetch

Next-Router-State-Tree

Next-Url

Proxy-Authorization

RSC

Remote-Addr

X-API-Key

X-B3-Sampled

X-B3-SpanId

X-B3-TraceId

X-CSRF-Token

X-CSRFToken

X-Forwarded-For

X-RateLimit-Reset

X-Real-IP

X-Remix-Redirect

X-Remix-Reload-Document

X-Remix-Replace

X-Remix-Response

X-Remix-Revalidate

X-Remix-Status

X-Title

X-XSRF-Token

baggage

cf-connecting-ip

cf-connecting-ipv6

cf-ray

cf-worker

next-resume

or-client-forwarded-ip

purpose

sec-or-proxy-psk

traceparent

tracestate

x-action-redirect

x-action-revalidated

x-anthropic-beta

x-basehub-api-version

x-basehub-ref

x-custom-text

x-datadog-origin

x-datadog-parent-id

x-datadog-sampling-priority

x-datadog-trace-id

x-enable-fake-provider

x-grok-conv-id

x-grok-req-id

x-initial-delay-ms

x-is-upstream-sse

x-middleware-cache

x-middleware-prefetch

x-middleware-skip

x-next-cache-tags

x-next-revalidate-tag-token

x-next-revalidated-tags

x-nextjs-action-not-found

x-nextjs-data

x-nextjs-matched-path

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-redirect

x-nextjs-rewrite

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

x-or-experiments-internal

x-orb-customer-id

x-orb-metering-metadata

x-per-chunk-delay-ms

x-prerender-revalidate

x-prerender-revalidate-if-generated

x-reasoning-tokens

x-session-id

x-simulate-mid-stream-error

x-stripe-customer-id

x-stripe-metering-metadata

x-text-generation-mode

Security Findings

11 findings redacted

CRITICAL

Sensitive data exposure detected

Credentials or API keys may be exposed in client-side code.

#1 of 17

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#2 of 17

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#3 of 17

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#4 of 17

HIGH

Missing access control

Endpoints lack proper authorization checks.

#5 of 17

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#6 of 17

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#7 of 17

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#8 of 17

HIGH

Missing access control

Endpoints lack proper authorization checks.

#9 of 17

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#10 of 17

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#11 of 17

LOW

Unauthenticated Endpoint: /api/frontend/all-providers

Endpoint is accessible without authentication (HTTP 200)

Finding #12 of 17

Endpoint is accessible without authentication (HTTP 200)

Location

https://openrouter.ai/api/frontend/all-providers

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/frontend/llms-full-txt-proxy

Endpoint is accessible without authentication (HTTP 200)

Finding #13 of 17

Endpoint is accessible without authentication (HTTP 200)

Location

https://openrouter.ai/api/frontend/llms-full-txt-proxy

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/frontend/models

Endpoint is accessible without authentication (HTTP 200)

Finding #14 of 17

Endpoint is accessible without authentication (HTTP 200)

Location

https://openrouter.ai/api/frontend/models

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/frontend/models/find

Endpoint is accessible without authentication (HTTP 200)

Finding #15 of 17

Endpoint is accessible without authentication (HTTP 200)

Location

https://openrouter.ai/api/frontend/models/find

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/frontend/provider-filters

Endpoint is accessible without authentication (HTTP 200)

Finding #16 of 17

Endpoint is accessible without authentication (HTTP 200)

Location

https://openrouter.ai/api/frontend/provider-filters

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/frontend/providers

Endpoint is accessible without authentication (HTTP 200)

Finding #17 of 17

Endpoint is accessible without authentication (HTTP 200)

Location

https://openrouter.ai/api/frontend/providers

Remediation

Review if this endpoint should require authentication

openrouter.ai

Attack Surface

Routes (154)

Custom Headers (82)

Security Findings

Sensitive data exposure detected

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing access control

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing access control

Cross-site scripting vulnerability

SQL injection risk detected

Unauthenticated Endpoint: /api/frontend/all-providers

Unauthenticated Endpoint: /api/frontend/llms-full-txt-proxy

Unauthenticated Endpoint: /api/frontend/models

Unauthenticated Endpoint: /api/frontend/models/find

Unauthenticated Endpoint: /api/frontend/provider-filters

Unauthenticated Endpoint: /api/frontend/providers