Cyber Resilience

CVE-2026-33807

CriticalPublic PoCUpdated

Published: 15 April 2026

Published
15 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0043 34.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33807 is a critical-severity Interpretation Conflict (CWE-436) vulnerability in Fastify Fastify\/Express. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33807 is a path handling vulnerability in the @fastify/express plugin for Fastify versions 4.0.4 and earlier. The issue stems from a bug in the onRegister function, which causes middleware paths to be doubled when inherited by child plugins. Specifically, if a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, preventing it from matching any incoming requests. This leads to a complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within the affected child plugin scopes.

The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and carries a CVSS v3.1 base score of 9.1 (S:U/C:H/I:H/A:N). Remote attackers can exploit it by sending standard HTTP requests to routes in affected child plugins, bypassing middleware protections without any special configuration or request crafting. This enables unauthorized access to protected endpoints, potentially exposing sensitive data or allowing privilege escalation within the application.

Advisories recommend upgrading to @fastify/express version 4.0.5 or later to mitigate the issue. Details are provided in the GitHub security advisory for fastify/fastify-express (GHSA-hrwm-hgmj-7p9c) and the OpenJSF CNA security advisories page. The vulnerability is associated with CWE-436 (Interpretation Conflict).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the…

more

middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote path handling bug in a public-facing web framework plugin that directly enables bypassing of authentication/authorization middleware via standard HTTP requests, mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33808Same product: Fastify Fastify\/Express
CVE-2026-6270Same vendor: Fastify
CVE-2026-25223Same vendor: Fastify
CVE-2026-33804Same vendor: Fastify
CVE-2026-33806Same vendor: Fastify
CVE-2026-2880Same vendor: Fastify
CVE-2026-22031Same vendor: Fastify
CVE-2026-42551Shared CWE-436
CVE-2026-41248Shared CWE-436
CVE-2026-27444Shared CWE-436

Affected Assets

fastify
fastify\/express
≤ 4.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the path handling flaw in @fastify/express v4.0.4 and earlier by requiring timely upgrade to v4.0.5 or later, directly preventing middleware bypass for child plugin routes.

detect

Vulnerability scanning detects deployments of the vulnerable @fastify/express version affected by CVE-2026-33807, enabling proactive patching.

detect

Verifies correct operation of Express middleware security functions like authentication and rate limiting to identify path matching failures in child plugins.

References