CVE-2026-6270
published 2026-04-16CVE-2026-6270: @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers…
PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.50%
38.9th percentile
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fastify | fastify_middie | < 9.3.2 | 9.3.2 |
| fastify | middie | >= 0 < 9.3.2 | 9.3.2 |
| fastify | middie_fastify_middie | < 9.3.2 | 9.3.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
ghsa·2026-04-16·CVSS 9.1
CVE-2026-6270 [CRITICAL] CWE-436 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
### Impact
`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.
This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as [GHSA-h
VulDB
fastify middie up to 9.3.1 interpretation conflict (GHSA-hrwm-hgmj-7p9c)
vuldb·2026-04-16·CVSS 9.1
CVE-2026-6270 [CRITICAL] fastify middie up to 9.3.1 interpretation conflict (GHSA-hrwm-hgmj-7p9c)
A vulnerability, which was classified as critical, was found in fastify middie up to 9.3.1. This affects an unknown function. Such manipulation leads to interpretation conflict.
This vulnerability is documented as CVE-2026-6270. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-6270 python-hdf5storage: HDF5 heap-based overflow [fedora-42]
bugzilla·2025-06-20·CVSS 1.9
CVE-2025-6270 [LOW] CVE-2025-6270 python-hdf5storage: HDF5 heap-based overflow [fedora-42]
CVE-2025-6270 python-hdf5storage: HDF5 heap-based overflow [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2373902
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintaine
Bugzilla
CVE-2025-6270 hdf5: HDF5 heap-based overflow [fedora-42]
bugzilla·2025-06-20·CVSS 1.9
CVE-2025-6270 [LOW] CVE-2025-6270 hdf5: HDF5 heap-based overflow [fedora-42]
CVE-2025-6270 hdf5: HDF5 heap-based overflow [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2373902
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish
2026-04-16
Published