CVE-2026-41690
Received Received - Intake
Prototype Pollution in 18next-http-middleware

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41690
EUVD
EUVD-2026-28792
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
i18next i18next-http-middleware to 3.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade the 18next-http-middleware package to version 3.9.3 or later, as versions prior to 3.9.3 are vulnerable.

Executive Summary

The vulnerability exists in versions of 18next-http-middleware prior to 3.9.3. It allows an unauthenticated HTTP client to manipulate the Object.prototype in the Node.js process running the middleware. This happens through two unvalidated entry points called getResourcesHandler and missingKeyHandler, which permit internal object-key writes. As a result, this can lead to broken authorization checks, type-confusion denial of service (DoS), and potentially remote code execution (RCE) depending on downstream code.

Impact Analysis

This vulnerability can have several serious impacts. It can break authorization checks, for example causing conditions like (user.isAdmin) to return true for any user, effectively bypassing access controls. It can also cause type-confusion denial of service (DoS), disrupting the availability of the application. Furthermore, depending on how downstream code handles the manipulated objects, this vulnerability can be chained into remote code execution (RCE), allowing attackers to execute arbitrary code on the server.

Compliance Impact

The vulnerability allows unauthenticated attackers to manipulate Object.prototype in the Node.js process, potentially leading to authorization bypasses, denial of service, or remote code execution. Such security weaknesses can compromise the confidentiality, integrity, and availability of data handled by applications using the affected middleware.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass authorization and execute code remotely could lead to unauthorized access or data breaches, which are critical concerns under these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with common security and privacy regulations by exposing sensitive data or disrupting service integrity.

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of the i18next-http-middleware package, specifically any version prior to 3.9.3.

Since the vulnerability involves unauthenticated HTTP clients sending specially crafted requests to the getResourcesHandler or missingKeyHandler endpoints, monitoring HTTP traffic for suspicious requests containing prototype pollution payloads targeting keys like __proto__, constructor, or prototype can help detect exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly. However, you can check the installed package version with a command like:

  • npm list i18next-http-middleware

To monitor HTTP requests for suspicious payloads, you might use network capture tools (e.g., tcpdump, Wireshark) or web server logs to look for requests containing __proto__ or constructor keys in query parameters or request bodies.

Since no direct detection commands or scripts are provided, the recommended action is to upgrade to version 3.9.3 or later to mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart