CVE-2026-2880
Published: 27 February 2026
Summary
CVE-2026-2880 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Openjsf \@Fastify\/Middie. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-2880 by requiring upgrade of the vulnerable @fastify/middie library to version 9.2.0 or later, eliminating the path normalization bypass.
Information input validation ensures crafted request paths exploiting Fastify router normalization are checked and rejected before reaching protected handlers.
Access enforcement requires the system to properly apply path-scoped authentication middleware to all requests matching protected routes, preventing bypass via manipulated paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated remote exploitation of a public-facing web framework (Fastify middleware) via crafted paths to bypass authentication/authorization, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass…
more
middleware checks while still being routed to protected handlers.
Deeper analysisAI
CVE-2026-2880 is a vulnerability in @fastify/middie versions prior to 9.2.0, a middleware plugin for the Fastify web framework. It enables authentication and authorization bypass specifically when path-scoped middleware is used, such as app.use('/secret', auth). The issue arises when Fastify router normalization options are enabled—including ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behaviors—allowing crafted request paths to evade middleware checks while still matching and executing protected route handlers. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-20 (Improper Input Validation). It was published on 2026-02-27.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By constructing HTTP requests with specially manipulated paths that leverage the normalization options, attackers bypass security middleware and reach handlers intended to be protected, achieving high-impact confidentiality and integrity violations such as unauthorized data access or modification without affecting availability.
The GitHub Security Advisory at https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw provides details on the vulnerability. Mitigation requires upgrading to @fastify/middie version 9.2.0 or later, which resolves the path bypass issue in conjunction with Fastify's router normalization features.
Details
- CWE(s)