Platform
nodejs
Component
@fastify/middie
Fixed in
9.3.2
9.3.2
CVE-2026-6270 describes an Authentication Bypass vulnerability in the @fastify/middie middleware library for Node.js. This flaw allows attackers to circumvent middleware security controls, potentially compromising sensitive data and system functionality. The vulnerability affects versions 0.0.0 through 9.3.2 of @fastify/middie, and a fix is available in version 9.3.2.
The core of the issue lies in how @fastify/middie handles middleware path propagation to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is incorrectly modified. This silent modification prevents the middleware from matching incoming requests, effectively bypassing all security measures implemented through middleware. This includes authentication, authorization, rate limiting, and other critical security controls. The impact is particularly severe for applications relying on middleware for security enforcement, as attackers can bypass these protections entirely, gaining unauthorized access to resources and functionality within the affected child plugin scopes. Nested plugins (grandchild scopes) are also vulnerable.
CVE-2026-6270 was publicly disclosed on 2026-04-16. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). Currently, there are no publicly available proof-of-concept exploits, but the ease of exploitation once a PoC is developed raises concerns. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to @fastify/middie version 9.3.2 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider temporarily disabling or modifying affected child plugins to reduce the attack surface. Review your application's middleware configuration to identify potential overlaps between parent and child plugin scopes. Implement stricter input validation and output encoding to minimize the impact of potential exploits. Consider using a Web Application Firewall (WAF) to filter malicious requests targeting vulnerable endpoints, although this is not a substitute for patching.
Upgrade to version 9.3.2 or later of @fastify/middie to fix the vulnerability. This update corrects the middleware inheritance issue, ensuring that authentication is correctly applied to all routes, even in child plugins.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6270 is a critical vulnerability in @fastify/middie allowing attackers to bypass middleware security controls due to incorrect path propagation in child plugin scopes.
You are affected if your Node.js application uses @fastify/middie versions 0.0.0 through 9.3.2. Check your dependencies immediately.
Upgrade to @fastify/middie version 9.3.2 or later to resolve the vulnerability. Review your middleware configuration for potential overlaps.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest it could be targeted soon.
Refer to the official @fastify/middie GitHub repository and associated security advisories for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.