CVE-2026-6270
Received Received - Intake
Authentication Bypass in @fastify/middie Due to Middleware Inheritance Flaw

Publication date: 2026-04-16

Last updated on: 2026-04-22

Assigner: openjs

Description
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6270
EUVD
EUVD-2026-23241
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openjsf @fastify/middie to 9.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in @fastify/middie versions 9.3.1 and earlier, where inherited middleware is not properly registered on child plugin engine instances.

When a Fastify application registers authentication middleware in a parent scope and then registers child plugins using @fastify/middie, the child plugins do not inherit the authentication middleware from the parent.

This flaw allows unauthenticated requests to access routes defined in child plugin scopes, effectively bypassing authentication and authorization checks.

Upgrading to @fastify/middie version 9.3.2 fixes this issue. There are no known workarounds.

Impact Analysis

This vulnerability can allow attackers to bypass authentication and authorization controls on routes defined in child plugin scopes of a Fastify application.

As a result, unauthorized users may gain access to sensitive or restricted resources, potentially leading to data breaches or unauthorized actions within the application.

Given the CVSS score of 9.1, the impact is considered high, with confidentiality and integrity being severely affected.

Mitigation Strategies

To mitigate this vulnerability, upgrade @fastify/middie to version 9.3.2 or later.

There are no workarounds available for this issue.

Compliance Impact

This vulnerability allows unauthenticated requests to bypass authentication and authorization checks in child plugin scopes of a Fastify application. Such unauthorized access could lead to exposure of sensitive data or unauthorized actions.

By permitting unauthorized access, this issue could potentially lead to non-compliance with standards and regulations that require strict access controls and protection of sensitive information, such as GDPR and HIPAA.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart