Cyber Resilience

CVE-2026-2880

High

Published: 27 February 2026

Published
27 February 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2880 is a high-severity Improper Input Validation (CWE-20) vulnerability in Fastify Fastify\/Middie. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2880 is a vulnerability in @fastify/middie versions prior to 9.2.0, a middleware plugin for the Fastify web framework. It enables authentication and authorization bypass specifically when path-scoped middleware is used, such as app.use('/secret', auth). The issue arises when Fastify router normalization options are enabled—including ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behaviors—allowing crafted request paths to evade middleware checks while still matching and executing protected route handlers. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-20 (Improper Input Validation). It was published on 2026-02-27.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By constructing HTTP requests with specially manipulated paths that leverage the normalization options, attackers bypass security middleware and reach handlers intended to be protected, achieving high-impact confidentiality and integrity violations such as unauthorized data access or modification without affecting availability.

The GitHub Security Advisory at https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw provides details on the vulnerability. Mitigation requires upgrading to @fastify/middie version 9.2.0 or later, which resolves the path bypass issue in conjunction with Fastify's router normalization features.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass…

more

middleware checks while still being routed to protected handlers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability enables unauthenticated remote exploitation of a public-facing web framework (Fastify middleware) via crafted paths to bypass authentication/authorization, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6270Same product: Fastify Fastify\/Middie
CVE-2026-22031Same product: Fastify Fastify\/Middie
CVE-2026-33804Same product: Fastify Fastify\/Middie
CVE-2026-33806Same vendor: Fastify
CVE-2026-33807Same vendor: Fastify
CVE-2026-25223Same vendor: Fastify
CVE-2026-33808Same vendor: Fastify
CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2026-4755Shared CWE-20

Affected Assets

fastify
fastify\/middie
≤ 9.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-2880 by requiring upgrade of the vulnerable @fastify/middie library to version 9.2.0 or later, eliminating the path normalization bypass.

prevent

Information input validation ensures crafted request paths exploiting Fastify router normalization are checked and rejected before reaching protected handlers.

prevent

Access enforcement requires the system to properly apply path-scoped authentication middleware to all requests matching protected routes, preventing bypass via manipulated paths.

References