DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-6270: CVE-2026-6270: Authentication Bypass via Middleware Interpretation Conflict in Fastify Middie

#security #cve #cybersecurity

CVE-2026-6270: Authentication Bypass via Middleware Interpretation Conflict in Fastify Middie

Vulnerability ID: CVE-2026-6270
CVSS Score: 9.1
Published: 2026-04-16

CVE-2026-6270 is a critical authentication and authorization bypass vulnerability affecting the Fastify ecosystem, specifically @fastify/middie and @fastify/fastify-express. The flaw arises from an interpretation conflict in middleware path propagation, allowing unauthenticated requests to bypass security guards and access protected child plugin routes.

TL;DR

Authentication bypass in Fastify middie <= 9.3.1 due to middleware path propagation errors.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-436
  • Attack Vector: Network
  • CVSS v3.1 Score: 9.1 (Critical)
  • Impact: Authentication and Authorization Bypass
  • Exploit Status: Proof of Concept (PoC) Available
  • KEV Status: Not Listed

Affected Systems

  • @fastify/middie <= 9.3.1
  • @fastify/fastify-express <= 4.0.4
  • Node.js server applications utilizing Fastify with nested plugin architectures
  • @fastify/middie: <= 9.3.1 (Fixed in: 9.3.2)
  • @fastify/fastify-express: <= 4.0.4 (Fixed in: Dependent on middie update)

Code Analysis

Commit: ca42dd7

Fix direct engine middleware registration bypassing scope propagation prefixes.

Commit: 29162c8

Implement resolveNormalizationOptions to synchronize path matching configurations.

Exploit Details

  • GitHub Security Advisory: Proof of concept code documenting the duplicate slash bypass via path normalization configurations.

Mitigation Strategies

  • Upgrade @fastify/middie to version 9.3.2.
  • Enforce dependency resolutions for @fastify/fastify-express to ensure patched middie versions.
  • Migrate security controls from Express middleware to native Fastify lifecycle hooks (e.g., preHandler).

Remediation Steps:

  1. Run npm audit to identify vulnerable versions of @fastify/middie in the dependency tree.
  2. Update package.json to require @fastify/middie@^9.3.2.
  3. If using fastify-express, use npm overrides or yarn resolutions to force the sub-dependency update.
  4. Rebuild the application and run unit tests ensuring route accessibility remains properly restricted.
  5. Deploy the patched application to production environments.

References

Read the full report for CVE-2026-6270 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)