CVE-2026-6270
CriticalSummary
Versions of @fastify/middie up to 9.3.1 do not register inherited middleware directly on child plugin engine instances. This allows unauthenticated requests to bypass authentication and authorization checks for routes defined in child plugins.
Risk Assessment
The organization is at risk of unauthorized requests gaining access to routes, potentially leading to unauthorized access to resources.
Recommendation
It is recommended to upgrade to @fastify/middie version 9.3.2 to resolve this issue. There are no available workarounds.
Original NVD description (English source)
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

