9.1
CVE-2026-6270
- EPSS 0.5%
- Veröffentlicht 16.04.2026 13:44:46
- Zuletzt bearbeitet 14.05.2026 15:41:44
- Quelle ce714d77-add3-4f53-aff5-83d477
- CVE-Watchlists
- Unerledigt
Login@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fastify ≫ Fastify/middie SwPlatformnode.js Version < 9.3.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.5% | 0.387 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| ce714d77-add3-4f53-aff5-83d477b104bb | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-436 Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w