CRITICAL🇵🇱 Wersja polska

CVE-2026-6270

CVSS 9.1v3.1pub. 2026-04-16upd. 2026-05-14

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Fastify Fastify\/middie

    APP
    Fastify
    < 9.3.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-14198CRITICAL9.1ten sam produkt

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before ...

CVE-2026-14181HIGH7.5ten sam produkt

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone e...

CVE-2026-33804HIGH7.4ten sam produkt

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ign...

CVE-2026-2880HIGH8.2ten sam produkt

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when usi...

CVE-2026-22031HIGH8.4ten sam produkt

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability ex...