{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2293", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-02-10T15:48:58.721Z", "datePublished": "2026-02-27T16:15:11.784Z", "dateUpdated": "2026-02-27T17:07:59.779Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "nestjs", "platforms": ["Windows", "MacOS", "iOS"], "product": "nest.js", "vendor": "nest.js", "versions": [{"status": "affected", "version": "11.1.13"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nest.js:nest.js:11.1.13:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:nest.js:nest.js:11.1.13:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:nest.js:nest.js:11.1.13:*:ios:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Cristian Vargas"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.<br><br></p><p>This issue affects nest.Js: 11.1.13.</p>"}], "value": "A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.\n\n\n\nThis issue affects nest.Js: 11.1.13."}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-02-27T16:15:11.784Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/neton"}, {"tags": ["product"], "url": "https://github.com/nestjs/nest/"}, {"tags": ["patch"], "url": "https://github.com/nestjs/nest/releases/tag/v11.1.14"}], "source": {"discovery": "UNKNOWN"}, "title": "NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:06:38.795771Z", "id": "CVE-2026-2293", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:07:59.779Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2293", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T17:06:38.795771Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:07:48.467Z"}}], "cna": {"title": "NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Cristian Vargas"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "nest.js", "product": "nest.js", "versions": [{"status": "affected", "version": "11.1.13"}], "platforms": ["Windows", "MacOS", "iOS"], "packageName": "nestjs", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/neton", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nestjs/nest/", "tags": ["product"]}, {"url": "https://github.com/nestjs/nest/releases/tag/v11.1.14", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.\n\n\n\nThis issue affects nest.Js: 11.1.13.", "supportingMedia": [{"type": "text/html", "value": "<p>A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.<br><br></p><p>This issue affects nest.Js: 11.1.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nest.js:nest.js:11.1.13:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:nest.js:nest.js:11.1.13:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:nest.js:nest.js:11.1.13:*:ios:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-02-27T16:15:11.784Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2293", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:07:59.779Z", "dateReserved": "2026-02-10T15:48:58.721Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2026-02-27T16:15:11.784Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nestjs:nest:11.1.13:*:*:*:*:node.js:*:*", "matchCriteriaId": "738264DB-2E5D-413E-A768-643F1DFDD903", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.\n\n\n\nThis issue affects nest.Js: 11.1.13."}, {"lang": "es", "value": "Una aplicaci\u00f3n NestJS que utiliza @nestjs/platform-fastify puede permitir la omisi\u00f3n del middleware de autenticaci\u00f3n/autorizaci\u00f3n cuando las opciones de normalizaci\u00f3n de rutas de Fastify est\u00e1n habilitadas.\n\nEste problema afecta a nest.Js: 11.1.13."}], "id": "CVE-2026-2293", "lastModified": "2026-04-14T00:30:36.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-02-27T17:16:33.357", "references": [{"source": "help@fluidattacks.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://fluidattacks.com/advisories/neton"}, {"source": "help@fluidattacks.com", "tags": ["Product"], "url": "https://github.com/nestjs/nest/"}, {"source": "help@fluidattacks.com", "tags": ["Release Notes"], "url": "https://github.com/nestjs/nest/releases/tag/v11.1.14"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "help@fluidattacks.com", "type": "Primary"}]}

{"bugzilla": {"description": "nestjs: NestJS: Authentication bypass via Fastify path-normalization", "id": "2443367", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443367"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-551", "details": ["A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.\nThis issue affects nest.Js: 11.1.13.", "A flaw was found in NestJS. When a NestJS application uses @nestjs/platform-fastify with Fastify path-normalization options enabled, a remote attacker can exploit this to bypass authentication and authorization middleware. This bypass allows unauthorized access to protected resources, compromising the application's security controls."], "name": "CVE-2026-2293", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-agent-installer-ui-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-02-27T16:15:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2293\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2293\nhttps://fluidattacks.com/advisories/neton\nhttps://github.com/nestjs/nest/\nhttps://github.com/nestjs/nest/releases/tag/v11.1.14"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "ios"], "status": "affected", "versions": {"scheme": "semver", "value": "11.1.13"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "nest.js", "source": "cna", "vendor": "nest.js"}, "product": "nest.js", "vendor": "nest.js"}], "analysis": {"en": {"generated_at": "2026-04-18T10:15:09.586541+00:00", "value": {"mitigation_remediation": ["Upgrade NestJS to version 11.1.14 or later, which restores proper validation before authentication and authorization checks.", "If an upgrade cannot be performed immediately, disable Fastify\u2019s path\u2011normalisation options in the server configuration to prevent the bypass path.", "Audit the application to confirm that all authentication and authorization middleware execute before any route handlers or proxies, and correct any ordering or scope errors."], "summary": {"action": "Immediate Patch", "impact": "Authentication/Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Any Node.js deployment of NestJS 11.1.13 that imports @nestjs/platform-fastify is affected. The vulnerability applies to applications running on Linux, macOS, or Windows where Fastify path\u2011normalisation is enabled. Users deploying the open\u2011source NestJS framework must ensure they are not using this specific release with the default configuration.", "description_and_impact": "The flaw arises when a NestJS application uses the @nestjs/platform-fastify package with Fastify's path\u2011normalisation options turned on. The framework fails to invoke its validation pipeline before executing authentication and authorization middleware, allowing crafted HTTP requests to bypass those checks. This defect corresponds to identity management weaknesses (CWE\u2011551) and authorization bypass (CWE\u2011863). An attacker can therefore reach endpoints or resources that should be protected, exposing data or enabling actions that the user is not permitted to perform.", "risk_and_exploitability": "With a CVSS score of 8.2, the vulnerability is high severity. The EPSS score is below 1\u202f%, indicating a low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. Nevertheless, the attack path is simple: an adversary can send specially crafted HTTP requests to a publicly reachable NestJS instance, which will be processed without the normal authentication and authorization checks. No special privileges or network access beyond the ability to reach the target server are required."}}}}, "created": "2026-03-02T12:07:07.670217+00:00", "updated": "2026-04-18T10:15:25.884036+00:00", "vendors": ["nest.js", "nest.js$PRODUCT$nest.js"]}