{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33806", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T00:14:02.376Z", "dateUpdated": "2026-04-15T16:13:42.961Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T00:14:02.376Z"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."}]}], "affected": [{"vendor": "fastify", "product": "fastify", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "5.3.2", "lessThan": "5.8.5"}, {"versionType": "semver", "status": "unaffected", "version": "5.8.5"}], "packageURL": "pkg:npm/fastify"}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}, {"lang": "en", "type": "remediation reviewer", "value": "jsumners"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "reporter", "value": "Vyntral"}], "title": "fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "lang": "en", "description": "CWE-1287: Improper Validation of Specified Type of Input", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:02:12.644507Z", "id": "CVE-2026-33806", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:42.961Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T14:02:12.644507Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:02:18.744Z"}}], "cna": {"title": "fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header", "credits": [{"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}, {"lang": "en", "type": "remediation reviewer", "value": "jsumners"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "reporter", "value": "Vyntral"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"status": "affected", "version": "5.3.2", "lessThan": "5.8.5", "versionType": "semver"}, {"status": "unaffected", "version": "5.8.5", "versionType": "semver"}], "packageURL": "pkg:npm/fastify", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [{"type": "text/html", "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T00:14:02.376Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33806", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:13:42.961Z", "dateReserved": "2026-03-23T19:48:48.715Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-04-15T00:14:02.376Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F05DA184-C206-4A06-A5BA-97FBB69A274F", "versionEndExcluding": "5.8.5", "versionStartIncluding": "5.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."}], "id": "CVE-2026-33806", "lastModified": "2026-04-17T15:49:28.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-15T04:17:36.650", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"], "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Not Applicable"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1287"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "fastify: Fastify: Schema validation bypass via malformed Content-Type header", "id": "2458596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458596"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-1289", "details": ["A flaw was found in Fastify. A remote attacker could exploit this vulnerability by prepending a space to the Content-Type header in a request. This action bypasses the application's schema validation, allowing the attacker to submit data that would otherwise be rejected. This could lead to unexpected data processing and potential integrity issues within the application."], "name": "CVE-2026-33806", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mod-arch-maas-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-04-15T00:14:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33806\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33806\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"], "statement": "This vulnerability doesn't affect any supported Red Hat product. This happens because or either the vulnerability was introduced in a version later than the shipped one or the product is already shipping a patched version of Fastify.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.2,5.8.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.8.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fastify", "source": "cna", "vendor": "fastify"}, "product": "fastify", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-17T08:05:17.085239+00:00", "value": {"mitigation_remediation": ["Upgrade Fastify to version 5.8.5 or a later release to remove the regression.", "Add a middleware that trims leading and trailing whitespace from the Content-Type header before routing, ensuring the validation logic is applied.", "Apply additional schema validation or data sanitization at the application layer for all incoming requests to guard against altered content types."], "summary": {"action": "Patch Update", "impact": "Schema Validation Bypass via Content-Type Header"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Fastify framework (fastify:fastify) in any application using content-type specific body validation. The regression is present in all releases from 5.3.2 through 5.8.4; versions 5.8.5 and later contain the fix.", "description_and_impact": "Applications built with Fastify that rely on schema.body.content to validate request bodies are vulnerable because inserting a single leading space in the Content-Type header causes the library to skip body validation entirely. The request body is still parsed, but the validation logic that would normally enforce the declared schema is bypassed, allowing attackers to send malformed or malicious data that could otherwise be rejected. This flaw stems from a regression introduced in Fastify versions starting at 5.3.2 and is tied to a previous advisory (CVE-2025-32442).", "risk_and_exploitability": "The flaw carries a CVSS score of 7.5, indicating moderate\u2011to\u2011high severity. EPSS score is < 1% and the issue has not been listed in the CISA KEV catalog, suggesting that exploitation is not yet widespread. Attackers would need to send crafted HTTP requests with a header that includes a leading space, which is a straightforward capability for anyone capable of tampering with outbound traffic. Once bypassed, the payload can be used to inject unexpected data into the application, potentially leading to further downstream security issues depending on how the data is processed."}}}}, "created": "2026-04-15T13:48:23.608698+00:00", "updated": "2026-04-17T08:15:13.498924+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify"]}