Nuxtjs, Middleware Bypass via Case-Sensitivity Mismatch, CVE-2026-53721 (High) -DC-Jun2026-459

Listen to this Post

CVE-2026-53721 is a vulnerability in Nuxt.js, a popular Vue.js framework, that allows attackers to bypass route-rule middleware . The flaw, with a CVSS v4.0 base score of 8.8 (High), stems from a case-sensitivity mismatch between `vue-router` and the framework’s `routeRules` matcher .
By default, `vue-router` is configured with sensitive: false, meaning it matches paths case-insensitively. In contrast, the compiled `routeRules` matcher performs case-sensitive matching . The vulnerability arises when Nuxt looks up rules for the current navigation by calling getRouteRules({ path: to.path }). This discrepancy causes the two routers to disagree on which rules apply to a given request path .
For example, `vue-router` will match the page record for `/Admin/dashboard` just as it would for /admin/dashboard. However, the `routeRules` lookup for `/Admin/dashboard` returns no match because its case differs from the defined rule. Consequently, any `appMiddleware` declared via `routeRules` is never added to the middleware set and never executes. This bypass affects both server-side rendering (SSR) and client-side navigations .
The vulnerability impacts Nuxt versions 3.11.0 up to (but not including) 3.21.7, and 4.0.0 up to (but not including) 4.4.7 . For applications using `routeRules` with `appMiddleware` as an authorization gate, an attacker can change the case of any static segment in a protected URL (e.g., `/Admin/dashboard` instead of /admin/dashboard) to render the protected page with the middleware skipped . The server then returns the fully server-rendered page, including any data fetched during SSR .
This issue is an instance of CWE-178 (Improper Handling of Case Sensitivity) leading to CWE-863 (Incorrect Authorization) . The vulnerability was discovered and reported by Anthropic / Claude through their coordinated vulnerability disclosure process (Reference: ANT-2026-9FSEBYMC) .

DailyCVE Form:

Platform: Nuxt.js
Version: 3.11.0-3.21.6, 4.0.0-4.4.6
Vulnerability: Middleware Bypass
Severity: High (CVSS 8.8)
date: 2026-06-12

Prediction: 2026-06-15

What Undercode Say:

The vulnerability is triggered by a case-sensitivity mismatch between `vue-router` and the `routeRules` matcher. The following technical analysis and commands can be used to understand and test the issue:

Vulnerable Code Flow:

  1. A request is made to a path like /Admin/dashboard.

2. `vue-router` matches the route case-insensitively.

  1. Nuxt calls `getRouteRules({ path: to.path })` to fetch rules for the path.
  2. The `routeRules` matcher performs a case-sensitive lookup and finds no match.
  3. Any `appMiddleware` defined for `/admin/dashboard` is not executed.

Verification Command (Example using `curl`):

Send a request to a protected route with altered case
curl -I https://vulnerable-app.com/Admin/dashboard

If the server returns a `200 OK` response instead of a redirect or 403 Forbidden, the middleware is likely bypassed.

Nuxt Configuration Check:

// nuxt.config.ts
export default defineNuxtConfig({
routeRules: {
'/admin/dashboard': {
appMiddleware: 'auth' // This middleware can be bypassed
}
}
})

Exploit:

An attacker can exploit this vulnerability by crafting requests to protected routes with altered case in any static path segment. For instance, if an application has a route rule for /admin/dashboard, an attacker can request `/Admin/dashboard` or `/admin/Dashboard` to bypass the middleware. This allows unauthorized access to the protected page, potentially exposing sensitive data or functionality .

Protection:

To protect against this vulnerability, the following measures are recommended:
1. Upgrade Nuxt: Immediately upgrade to Nuxt version `3.21.7` or 4.4.7, which contain the fix . The fix normalizes the path used for `routeRules` lookups to match vue-router‘s case-insensitive semantics .
2. Set sensitive: true: As a workaround, set `router.options.sensitive = true` in your Nuxt configuration. This makes `vue-router` match paths case-sensitively, aligning it with the `routeRules` matcher .
3. Use definePageMeta: Move security-critical middleware from `routeRules.appMiddleware` to `definePageMeta({ middleware: […] })` on the protected page components. This middleware is bound to the matched route record and is not affected by this vulnerability .
4. Enforce Authorization at API Layer: Ensure that authorization is also enforced at the API or data-fetching layer, as middleware is considered an application-layer concern, not a server-side security boundary .

Impact

Successful exploitation allows an attacker to bypass `appMiddleware` defined in routeRules. If this middleware is used for authorization, an attacker can access protected pages and view sensitive information. The server will return the fully server-rendered page, including any data fetched via `useFetch` or `useAsyncData` during SSR . This can lead to unauthorized access to administrative panels, user dashboards, or other restricted areas of the application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top