CVE-2026-47200
Undergoing Analysis Undergoing Analysis - In Progress
Nuxt Framework Missing Route Middleware Execution in Server Islands

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47200
EUVD
EUVD-2026-36422
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 3.11.0 (inc) to 3.21.6 (exc)
nuxt nuxt From 4.0.0-alpha.1 (inc) to 4.4.6 (exc)
nuxt nuxt From 3.20.0 (inc) to 3.21.6 (exc)
nuxt nuxt 3.21.6
nuxt nuxt 4.4.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47200 is a vulnerability in the Nuxt.js framework related to its experimental componentIslands feature. When enabled, any .server.vue file under the pages/ directory is automatically registered as a server island and exposed via a special endpoint. The vulnerability occurs because requests to this endpoint render the page component directly without running the route middleware, which normally enforces security checks like authentication.

This means that middleware defined on the page, including authentication or other protections, is bypassed, allowing unauthenticated attackers to access server-rendered content that should be protected.

The issue was fixed by ensuring middleware runs correctly for these server island pages by validating the route before middleware execution, preventing unauthorized access through mismatched island requests.

Impact Analysis

This vulnerability can allow unauthenticated attackers to bypass route-based authentication and access protected server-rendered pages directly via the island endpoint.

As a result, sensitive or restricted content that relies on middleware for access control could be exposed to unauthorized users.

Applications that enforce authentication solely through route middleware in .server.vue pages under the pages/ directory are particularly at risk.

However, applications that enforce authentication within the page component itself or its data layer are not affected by this vulnerability.

Detection Guidance

This vulnerability can be detected by checking if your Nuxt.js application exposes the endpoint /__nuxt_island/page_* and if requests to this endpoint return server-rendered HTML without enforcing route middleware.

You can test this by sending HTTP requests to the island endpoint and observing whether authentication or other middleware checks are bypassed.

  • Use curl or similar tools to send requests to the island endpoint, for example: curl -i https://yourdomain.com/__nuxt_island/page_home
  • Check server logs or network traffic for requests to /__nuxt_island/page_* endpoints that return content without triggering expected middleware.
  • Verify the Nuxt.js version and whether the experimental.componentIslands feature is enabled, as the vulnerability only affects certain versions and configurations.
Mitigation Strategies

Immediate mitigation steps include updating Nuxt.js to a patched version where this vulnerability is fixed, specifically versions 3.21.6, 4.4.6, or later.

If updating is not immediately possible, you can disable the experimental.componentIslands feature to prevent exposure of the vulnerable endpoint.

Alternatively, restrict access to the /__nuxt_island/page_* endpoint at the reverse proxy or server middleware level to block unauthorized requests.

Another workaround is to enforce authentication or other security checks within the .server.vue pages themselves rather than relying solely on route middleware.

Compliance Impact

The vulnerability in Nuxt.js allows unauthenticated attackers to bypass route-based authentication middleware when accessing certain server-rendered pages via the /__nuxt_island/:name endpoint. This could lead to unauthorized access to protected content that is normally guarded by middleware checks.

Such unauthorized access could potentially result in exposure of sensitive or personal data, which may impact compliance with data protection regulations like GDPR or HIPAA if the affected applications handle such data.

However, applications that enforce authentication within the page or its data layer are not affected by this vulnerability. Additionally, workarounds such as disabling the componentIslands feature or restricting access to the vulnerable endpoint can mitigate the risk.

Therefore, the vulnerability poses a moderate risk to compliance with common standards and regulations by potentially allowing unauthorized data access if route middleware is the sole enforcement mechanism.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart