CVE-2026-6270

Description

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

CVSS v3.1 Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS — Exploit Prediction

0.0006

Probability of exploitation

0.18%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-436 CWE-436

Affected Products

Vendor	Product	Versions
fastify	fastify\/middie	< 9.3.2

References

Advisories & Patches

https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w

Exploits

https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c

Frequently Asked Questions

What is CVE-2026-6270? +

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds. It has a CVSS v3.1 base score of 9.1 (CRITICAL).

How severe is CVE-2026-6270? +

CVE-2026-6270 has a CVSS v3.1 score of 9.1 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0006, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-6270? +

CVE-2026-6270 affects products from fastify, specifically: fastify\/middie. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-6270? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-47076

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has …

CVE-2026-42274

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule …

CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host …

CVE-2026-42272

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded …

CVE-2025-54368

uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were …

CVE-2026-8034 9.8

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to …