CVE-2026-6270

Published: Apr 16, 2026 Last Modified: Apr 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,1

Source: ce714d77-add3-4f53-aff5-83d477b104bb

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

436

Interpretation Conflict

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Unexpected State Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

https://cna.openjsf.org/security-advisories.html

https://github.com/fastify/fastify-express/security/advisor…

https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7…

https://github.com/fastify/middie/security/advisories/GHSA-…

https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w

CVE-2026-6270

Description

Interpretation Conflict

Common Consequences

Applicable Platforms

Iscriviti alla newsletter