CVE-2026-6270
Authentication Bypass in @fastify/middie Due to Middleware Inheritance Flaw
Publication date: 2026-04-16
Last updated on: 2026-04-22
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openjsf | @fastify/middie | to 9.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in @fastify/middie versions 9.3.1 and earlier, where inherited middleware is not properly registered on child plugin engine instances.
When a Fastify application registers authentication middleware in a parent scope and then registers child plugins using @fastify/middie, the child plugins do not inherit the authentication middleware from the parent.
This flaw allows unauthenticated requests to access routes defined in child plugin scopes, effectively bypassing authentication and authorization checks.
Upgrading to @fastify/middie version 9.3.2 fixes this issue. There are no known workarounds.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass authentication and authorization controls on routes defined in child plugin scopes of a Fastify application.
As a result, unauthorized users may gain access to sensitive or restricted resources, potentially leading to data breaches or unauthorized actions within the application.
Given the CVSS score of 9.1, the impact is considered high, with confidentiality and integrity being severely affected.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade @fastify/middie to version 9.3.2 or later.
There are no workarounds available for this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated requests to bypass authentication and authorization checks in child plugin scopes of a Fastify application. Such unauthorized access could lead to exposure of sensitive data or unauthorized actions.
By permitting unauthorized access, this issue could potentially lead to non-compliance with standards and regulations that require strict access controls and protection of sensitive information, such as GDPR and HIPAA.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.