Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Fastify Middie middleware fails to apply to child plugins
CVE-2026-6270
GHSA-72c6-fx6q-fr5w
Summary
When using certain Fastify plugins, authentication checks may not work for routes in child plugins. This means unauthorized users might be able to access those routes. To fix this, upgrade to the latest version of @fastify/middie, as there are no other solutions.
What to do
- Update fastify middie to version 9.3.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | fastify | middie |
<= 9.3.1 Fix: upgrade to 9.3.2
|
Original title
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Original description
### Impact
`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.
This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as [GHSA-hrwm-hgmj-7p9c](https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c) (CVE-2026-33807) in `@fastify/express`.
### Patches
Upgrade to `@fastify/middie` v9.3.2 or later.
### Workarounds
None. Upgrade to the patched version.
`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fails to match incoming requests.
This results in complete bypass of middleware security controls for all routes defined within affected child plugin scopes, including nested (grandchild) scopes. Authentication, authorization, rate limiting, and any other middleware-based security mechanisms are skipped. No special request crafting or configuration is required.
This is the same vulnerability class as [GHSA-hrwm-hgmj-7p9c](https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c) (CVE-2026-33807) in `@fastify/express`.
### Patches
Upgrade to `@fastify/middie` v9.3.2 or later.
### Workarounds
None. Upgrade to the patched version.
nvd CVSS3.1
9.1
Vulnerability type
CWE-436
- https://cna.openjsf.org/security-advisories.html
- https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p...
- https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w
- https://nvd.nist.gov/vuln/detail/CVE-2026-6270
- https://github.com/advisories/GHSA-72c6-fx6q-fr5w
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026