Cyber Resilience

CVE-2026-33808

CriticalPublic PoCUpdated

Published: 15 April 2026

Published
15 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33808 is a critical-severity Interpretation Conflict (CWE-436) vulnerability in Fastify Fastify\/Express. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters…

more

when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path. PatchesUpgrade to @fastify/express v4.0.5 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

URL normalization bypass directly enables unauthorized access to protected routes in a public-facing web application (Fastify/Express).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33807Same product: Fastify Fastify\/Express
CVE-2026-6270Same vendor: Fastify
CVE-2026-25223Same vendor: Fastify
CVE-2026-33804Same vendor: Fastify
CVE-2026-33806Same vendor: Fastify
CVE-2026-2880Same vendor: Fastify
CVE-2026-22031Same vendor: Fastify
CVE-2026-42551Shared CWE-436
CVE-2026-41248Shared CWE-436
CVE-2026-27444Shared CWE-436

Affected Assets

fastify
fastify\/express
≤ 4.0.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References