Scan free
CRITICALCVE-2026-6270CVSS 9.1

CVE-2026-6270: Authentication Bypass in @fastify/middie

Platform

nodejs

Component

@fastify/middie

Fixed in

9.3.2

9.3.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-6270 describes an Authentication Bypass vulnerability in the @fastify/middie middleware library for Node.js. This flaw allows attackers to circumvent middleware security controls, potentially compromising sensitive data and system functionality. The vulnerability affects versions 0.0.0 through 9.3.2 of @fastify/middie, and a fix is available in version 9.3.2.

Impact and Attack Scenarios

The core of the issue lies in how @fastify/middie handles middleware path propagation to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is incorrectly modified. This silent modification prevents the middleware from matching incoming requests, effectively bypassing all security measures implemented through middleware. This includes authentication, authorization, rate limiting, and other critical security controls. The impact is particularly severe for applications relying on middleware for security enforcement, as attackers can bypass these protections entirely, gaining unauthorized access to resources and functionality within the affected child plugin scopes. Nested plugins (grandchild scopes) are also vulnerable.

Exploitation Context

CVE-2026-6270 was publicly disclosed on 2026-04-16. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). Currently, there are no publicly available proof-of-concept exploits, but the ease of exploitation once a PoC is developed raises concerns. It is not listed on the CISA KEV catalog as of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Component@fastify/middie
Vendor@fastify/middie
Affected rangeFixed in
0.0.0 – 9.3.19.3.2
9.3.2

Weakness Classification (CWE)

CWE-436

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation is to upgrade to @fastify/middie version 9.3.2 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider temporarily disabling or modifying affected child plugins to reduce the attack surface. Review your application's middleware configuration to identify potential overlaps between parent and child plugin scopes. Implement stricter input validation and output encoding to minimize the impact of potential exploits. Consider using a Web Application Firewall (WAF) to filter malicious requests targeting vulnerable endpoints, although this is not a substitute for patching.

How to fix

Upgrade to version 9.3.2 or later of @fastify/middie to fix the vulnerability. This update corrects the middleware inheritance issue, ensuring that authentication is correctly applied to all routes, even in child plugins.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-6270 — Authentication Bypass in @fastify/middie?

CVE-2026-6270 is a critical vulnerability in @fastify/middie allowing attackers to bypass middleware security controls due to incorrect path propagation in child plugin scopes.

Am I affected by CVE-2026-6270 in @fastify/middie?

You are affected if your Node.js application uses @fastify/middie versions 0.0.0 through 9.3.2. Check your dependencies immediately.

How do I fix CVE-2026-6270 in @fastify/middie?

Upgrade to @fastify/middie version 9.3.2 or later to resolve the vulnerability. Review your middleware configuration for potential overlaps.

Is CVE-2026-6270 being actively exploited?

While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest it could be targeted soon.

Where can I find the official @fastify/middie advisory for CVE-2026-6270?

Refer to the official @fastify/middie GitHub repository and associated security advisories for the latest information and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs