CVE-2026-6270CRITICAL 9.1EPSS p38.7%

CVE-2026-6270CVE-2026-6270

Description

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.50% probability of exploitation · percentile 38.7% · 2026-06-18T12:00:27Z
Published2026-04-16
Last modified2026-05-14

Underlying weaknesses· 1

CWE-436

References

  1. https://cna.openjsf.org/security-advisories.html
  2. https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c
  3. https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w

1

TypeTargetConfidenceTier
WeaknessInterpretation Conflictcwe-4360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2880
CVE
CVE-2026-22031
CVE
CVE-2026-33804
CVE
CVE-2026-33807
CVE
CVE-2026-2293
CVE
CVE-2026-22037
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.