{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6270", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-14T11:08:51.828Z", "datePublished": "2026-04-16T13:44:46.322Z", "dateUpdated": "2026-04-16T14:24:26.764Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:44:46.322Z"}, "descriptions": [{"lang": "en", "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds."}]}], "affected": [{"vendor": "@fastify/middie", "product": "@fastify/middie", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "9.3.2"}, {"versionType": "semver", "status": "unaffected", "version": "9.3.2"}], "packageURL": "pkg:npm/@fastify/middie"}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}, {"url": "https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "climba03003"}, {"lang": "en", "type": "remediation developer", "value": "UlisesGascon"}], "title": "@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:23:16.690976Z", "id": "CVE-2026-6270", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:24:26.764Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6270", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-14T11:08:51.828Z", "datePublished": "2026-04-16T13:44:46.322Z", "dateUpdated": "2026-04-16T14:24:26.764Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:44:46.322Z"}, "descriptions": [{"lang": "en", "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds."}]}], "affected": [{"vendor": "@fastify/middie", "product": "@fastify/middie", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "9.3.2"}, {"versionType": "semver", "status": "unaffected", "version": "9.3.2"}], "packageURL": "pkg:npm/@fastify/middie"}], "references": [{"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}, {"url": "https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "FredKSchott"}, {"lang": "en", "type": "remediation developer", "value": "climba03003"}, {"lang": "en", "type": "remediation developer", "value": "UlisesGascon"}], "title": "@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6270", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T14:23:16.690976Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:24:22.614Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify\\/middie:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6082AC25-04AD-4888-B763-7D5C2493AF6E", "versionEndExcluding": "9.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds."}], "id": "CVE-2026-6270", "lastModified": "2026-05-14T15:41:44.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-16T14:16:19.433", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"], "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"], "url": "https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.3.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "9.3.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@fastify/middie", "source": "cna", "vendor": "@fastify/middie"}, "product": "middie", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-17T02:58:25.299023+00:00", "value": {"mitigation_remediation": ["Apply the official fix by upgrading @fastify/middie to version 9.3.2 or newer.", "Validate that the authentication middleware is applied directly to any child plugin scopes that cannot be updated, ensuring that child routes remain protected.", "Periodically audit plugin usage to confirm that all child plugins are correctly configured with authentication protections."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is @fastify/middie.\n\nAll versions 9.3.1 and earlier are impacted. The package name is @fastify/middie and the issue is triggered when authentication middleware is registered in a parent Fastify scope and then child plugins are added using @fastify/middie.", "description_and_impact": "The vulnerability in the @fastify/middie package allows an attacker to bypass authentication and authorization mechanisms. When an application registers authentication middleware in a parent scope, any child plugins that use @fastify/middie fail to inherit that middleware. As a result, routes defined within child plugin scopes can be accessed without authentication, leading to unauthorized data exposure or manipulation. The weakness is a failure to enforce correct policy, identified as CWE-436.", "risk_and_exploitability": "The CVSS base score for the vulnerability is 9.1, indicating a high severity with potential for full exploitation. The EPSS score is not available, so the precise likelihood of exploitation cannot be quantified; however, the lack of authentication for child plugin routes implies that a remote attacker who can send web requests to the application can easily leverage this flaw to gain unauthenticated access. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the high severity and straightforward exploit path increase overall risk for exposed services."}}}}, "created": "2026-04-16T18:58:30.357745+00:00", "updated": "2026-04-17T03:00:08.464609+00:00", "vendors": ["fastify", "fastify$PRODUCT$middie"]}