CVE-2026-6270
Published: 16 April 2026
Summary
CVE-2026-6270 is a critical-severity Interpretation Conflict (CWE-436) vulnerability in Openjsf \@Fastify\/Middie. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw in @fastify/middie through upgrading to version 9.3.2.
Enforces approved authorizations for logical access, ensuring authentication middleware is properly applied to routes in child plugin scopes to prevent bypass.
Vulnerability scanning identifies deployed instances of vulnerable @fastify/middie versions, enabling proactive remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Fastify middleware allows remote unauthenticated attackers to bypass parent-scope authentication/authorization for child plugin routes via crafted requests, directly enabling exploitation of a public-facing web application for unauthorized access.
NVD Description
@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit…
more
the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.
Deeper analysisAI
CVE-2026-6270 affects @fastify/middie versions 9.3.1 and earlier, a middleware plugin for the Fastify web framework. The vulnerability stems from the failure to register inherited middleware directly on child plugin engine instances. In Fastify applications that register authentication middleware in a parent scope and then add child plugins via @fastify/middie, the child scopes do not inherit the parent middleware. This misconfiguration enables unauthenticated requests to access routes in child plugin scopes, effectively bypassing authentication and authorization checks. The issue is classified under CWE-436 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending crafted requests to routes defined in child plugin scopes, attackers can bypass parent-level authentication middleware, gaining unauthorized access to sensitive endpoints. Successful exploitation results in high confidentiality and integrity impacts, such as reading or modifying protected data without valid credentials, while availability remains unaffected.
Advisories recommend upgrading to @fastify/middie version 9.3.2, which resolves the inheritance issue. No workarounds are available. Detailed guidance is provided in the OpenJSF security advisories at https://cna.openjsf.org/security-advisories.html, as well as GitHub security advisories for fastify-express (GHSA-hrwm-hgmj-7p9c) and fastify/middie (GHSA-72c6-fx6q-fr5w).
Details
- CWE(s)