CVE Catalog

CVE-2026-6270

Critical
Published: Translated: NVD NIST

Summary

Versions of @fastify/middie up to 9.3.1 do not register inherited middleware directly on child plugin engine instances. This allows unauthenticated requests to bypass authentication and authorization checks for routes defined in child plugins.

Risk Assessment

The organization is at risk of unauthorized requests gaining access to routes, potentially leading to unauthorized access to resources.

Recommendation

It is recommended to upgrade to @fastify/middie version 9.3.2 to resolve this issue. There are no available workarounds.

Original NVD description (English source)

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS