CVE-2026-33806
Published: 15 April 2026
Summary
CVE-2026-33806 is a high-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Fastify Fastify. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, prioritization, and remediation of software flaws like the Fastify Content-Type header validation bypass via upgrade to v5.8.5 or later.
Mandates receiving and acting on security advisories such as GHSA-mg2h-6x62-wpwc, which directs patching the Fastify regression vulnerability.
Enforces organization-defined validation of inputs like HTTP bodies and headers, providing defense-in-depth against Content-Type manipulation bypassing schema validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote, unauthenticated attackers to bypass schema validation in a public-facing Fastify web application by manipulating the Content-Type header, enabling processing of malicious payloads and directly mapping to exploitation of public-facing applications.
NVD Description
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify…
more
>= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.
Deeper analysisAI
CVE-2026-33806 is a vulnerability in Fastify applications that utilize schema.body.content for per-content-type body validation. It allows attackers to entirely bypass schema validation by prepending a space to the Content-Type header, while the body is still parsed correctly. This issue is a regression introduced in Fastify versions 5.3.2 and later, stemming from the fix for CVE-2025-32442, and is classified under CWE-1287 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting an HTTP request with a space-prepended Content-Type header, such as " application/json" instead of "application/json", they can bypass intended body validation schemas. This enables the processing of malformed or malicious payloads that would otherwise be rejected, leading to high integrity impacts such as improper data handling or injection of invalid content into the application.
Advisories from the Fastify GitHub security page (GHSA-mg2h-6x62-wpwc) and OpenJSF CNA recommend upgrading to Fastify v5.8.5 or later to mitigate the issue. No workarounds are available, emphasizing the need for prompt patching in affected applications.
Details
- CWE(s)