@fastify/middie, Middleware Authentication Bypass, CVE-2026-6270 (Critical)

Listen to this Post

The vulnerability exists because @fastify/middie versions 9.3.1 and earlier fail to properly register inherited middleware on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This occurs due to an incorrect re-prefixing logic when propagating middleware paths to child plugin scopes. Specifically, if a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests. As a result, unauthenticated requests can reach routes defined in child plugin scopes, completely bypassing authentication, authorization, rate limiting, and any other middleware-based security controls. No special request crafting or configuration is required to exploit this flaw. The issue affects all nested (grandchild) scopes as well. This vulnerability class is the same as GHSA-hrwm-hgmj-7p9c (CVE-2026-33807) in @fastify/express. The patch is available in version 9.3.2, which correctly registers inherited middleware on child plugin engine instances. There are no workarounds; upgrading is the only solution.
Platform: @fastify/middie
Version: <=9.3.1
Vulnerability: Middleware Bypass
Severity: CRITICAL
date: 2026-04-16

Prediction: 2026-04-16

What Undercode Say:

Check installed version
npm list @fastify/middie
Verify vulnerable version
npm view @fastify/[email protected] version
Upgrade to patched version
npm install @fastify/[email protected]
Audit for vulnerabilities
npm audit --production
// Vulnerable pattern: parent middleware not inherited
const fastify = require('fastify')();
const middie = require('@fastify/middie');
await fastify.register(middie);
fastify.use('/admin', authMiddleware); // Parent scope
await fastify.register(childPlugin, { prefix: '/api' }); // Child scope bypasses auth

Exploit:

// Exploit: Unauthenticated request to child plugin route
const axios = require('axios');
// This request reaches /api/user without auth check
axios.get('http://localhost:3000/api/user');

Protection from this CVE

Upgrade to @fastify/middie 9.3.2 or later immediately. No workarounds exist.

Impact

Complete bypass of authentication, authorization, and rate limiting for all routes in child plugin scopes. Unauthenticated attackers can access sensitive endpoints (admin panels, user data, APIs) without any special request crafting.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top