cbcvebase.
CVE-2026-6270
published 2026-04-16

CVE-2026-6270: @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers…

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.50%
38.9th percentile
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Affected

3 ranges
VendorProductVersion rangeFixed in
fastifyfastify_middie< 9.3.29.3.2
fastifymiddie>= 0 < 9.3.29.3.2
fastifymiddie_fastify_middie< 9.3.29.3.2

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.