CVE-2026-33807
Published: 15 April 2026
Summary
CVE-2026-33807 is a critical-severity Interpretation Conflict (CWE-436) vulnerability in Openjsf (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the path handling flaw in @fastify/express v4.0.4 and earlier by requiring timely upgrade to v4.0.5 or later, directly preventing middleware bypass for child plugin routes.
Vulnerability scanning detects deployments of the vulnerable @fastify/express version affected by CVE-2026-33807, enabling proactive patching.
Verifies correct operation of Express middleware security functions like authentication and rate limiting to identify path matching failures in child plugins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote path handling bug in a public-facing web framework plugin that directly enables bypassing of authentication/authorization middleware via standard HTTP requests, mapping to exploitation of public-facing applications.
NVD Description
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the…
more
middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.
Deeper analysisAI
CVE-2026-33807 is a path handling vulnerability in the @fastify/express plugin for Fastify versions 4.0.4 and earlier. The issue stems from a bug in the onRegister function, which causes middleware paths to be doubled when inherited by child plugins. Specifically, if a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, preventing it from matching any incoming requests. This leads to a complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within the affected child plugin scopes.
The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and carries a CVSS v3.1 base score of 9.1 (S:U/C:H/I:H/A:N). Remote attackers can exploit it by sending standard HTTP requests to routes in affected child plugins, bypassing middleware protections without any special configuration or request crafting. This enables unauthorized access to protected endpoints, potentially exposing sensitive data or allowing privilege escalation within the application.
Advisories recommend upgrading to @fastify/express version 4.0.5 or later to mitigate the issue. Details are provided in the GitHub security advisory for fastify/fastify-express (GHSA-hrwm-hgmj-7p9c) and the OpenJSF CNA security advisories page. The vulnerability is associated with CWE-436 (Interpretation Conflict).
Details
- CWE(s)