CVE-2026-30246
Fiber Cache Middleware Query String Handling Flaw
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gofiber | fiber | to 3.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30246 is a vulnerability in the Fiber web framework's cache middleware (versions up to 3.1.0) where the default cache key generator uses only the request path and ignores the query string.
Because of this, different requests to the same path but with different query parameters share the same cache key, causing the cache to return incorrect responses.
This can lead to response mix-ups where data intended for one request is exposed to another, especially for endpoints that depend on query parameters.
How can this vulnerability impact me? :
This vulnerability can cause sensitive data exposure by serving cached responses from one request to another with different query parameters.
It can also corrupt the integrity of responses by mixing up data between requests, potentially leading to incorrect or misleading information being delivered.
The vulnerability has a moderate severity (CVSS score 6.5) and does not require any privileges or user interaction to be exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the cache middleware in Fiber versions up to 3.1.0 improperly shares cached responses for requests with the same path but different query parameters.
A practical approach is to send multiple HTTP requests to the same endpoint path with different query strings and observe if the responses are incorrectly shared or mixed.
- Use curl or similar tools to send requests like: curl 'http://yourserver/path?id=1' and curl 'http://yourserver/path?id=2' and compare the responses.
- If the second request returns the cached response from the first request despite different query parameters, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Fiber web framework to a version later than 3.1.0 where the cache middleware's default key generator includes the normalized query string or canonicalized URL.
Alternatively, if upgrading is not immediately possible, modify the cache middleware configuration to use a custom cache key generator that incorporates the query string to avoid cache key collisions.
Additionally, review and test your cache usage to ensure that sensitive data is not exposed due to shared cache keys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Fiber's cache middleware can cause response mix-ups where cached responses intended for one request are served to another request with different query parameters. This may lead to the exposure of sensitive data to unauthorized parties.
Such unintended data exposure can impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized disclosure of personal or sensitive information.
Because the vulnerability involves exposure of sensitive information (classified under CWE-200) and use of cache containing sensitive information (CWE-524), it poses a risk to confidentiality and integrity, which are key principles in these standards.