CVE-2026-30246
published 2026-05-05CVE-2026-30246: Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request…
PriorityP336medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.25%
16.3th percentile
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gofiber_fiber_v3 | >= 0 < 3.2.0 | 3.2.0 |
| gofiber | fiber | <= 3.1.0 | — |
| gofiber | fiber | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
gofiber up to 3.0.x Query String interpretation conflict (GHSA-35hp-hqmv-8qg8)
vuldb·2026-05-05·CVSS 6.5
CVE-2026-30246 [MEDIUM] gofiber up to 3.0.x Query String interpretation conflict (GHSA-35hp-hqmv-8qg8)
A vulnerability was found in gofiber fiber up to 3.0.x. It has been rated as critical. This affects an unknown function of the component Query String Handler. The manipulation leads to interpretation conflict.
This vulnerability is listed as CVE-2026-30246. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
GHSA
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
ghsa·2026-04-28
CVE-2026-30246 [MEDIUM] CWE-200 Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
### Summary
Fiber cache middleware's default key generator uses only `c.Path()` and does not include the query string.
As a result, requests like `/?id=1` and `/?id=2` can map to the same cache key and share the same cached response.
This can cause response mix-up (cache poisoning-like behavior) for endpoints where response content depends on query parameters.
### Details
Default configuration in cache middleware:
- `KeyGenerator: func(c fiber.Ctx) string { return utils.CopyString(c.Path()) }`
References:
- https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92
- https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L5
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-30246 golang-github-gofiber-fiber-2: github.com/gofiber/fiber/v3: Information disclosure due to incorrect cache key generation [fedora-all]
bugzilla·2026-06-04·CVSS 6.5
CVE-2026-30246 [MEDIUM] CVE-2026-30246 golang-github-gofiber-fiber-2: github.com/gofiber/fiber/v3: Information disclosure due to incorrect cache key generation [fedora-all]
CVE-2026-30246 golang-github-gofiber-fiber-2: github.com/gofiber/fiber/v3: Information disclosure due to incorrect cache key generation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30246 github.com/gofiber/fiber/v3: github.com/gofiber/fiber/v3: Information disclosure due to incorrect cache key generation
bugzilla·2026-05-05·CVSS 6.5
CVE-2026-30246 [MEDIUM] CVE-2026-30246 github.com/gofiber/fiber/v3: github.com/gofiber/fiber/v3: Information disclosure due to incorrect cache key generation
CVE-2026-30246 github.com/gofiber/fiber/v3: github.com/gofiber/fiber/v3: Information disclosure due to incorrect cache key generation
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8
2026-05-05
Published