Cyber Resilience

CVE-2026-6270

CriticalPublic PoC

Published: 16 April 2026

Published
16 April 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0050 38.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6270 is a critical-severity Interpretation Conflict (CWE-436) vulnerability in Fastify Fastify\/Middie. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-6270 affects @fastify/middie versions 9.3.1 and earlier, a middleware plugin for the Fastify web framework. The vulnerability stems from the failure to register inherited middleware directly on child plugin engine instances. In Fastify applications that register authentication middleware in a parent scope and then add child plugins via @fastify/middie, the child scopes do not inherit the parent middleware. This misconfiguration enables unauthenticated requests to access routes in child plugin scopes, effectively bypassing authentication and authorization checks. The issue is classified under CWE-436 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending crafted requests to routes defined in child plugin scopes, attackers can bypass parent-level authentication middleware, gaining unauthorized access to sensitive endpoints. Successful exploitation results in high confidentiality and integrity impacts, such as reading or modifying protected data without valid credentials, while availability remains unaffected.

Advisories recommend upgrading to @fastify/middie version 9.3.2, which resolves the inheritance issue. No workarounds are available. Detailed guidance is provided in the OpenJSF security advisories at https://cna.openjsf.org/security-advisories.html, as well as GitHub security advisories for fastify-express (GHSA-hrwm-hgmj-7p9c) and fastify/middie (GHSA-72c6-fx6q-fr5w).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit…

more

the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability in Fastify middleware allows remote unauthenticated attackers to bypass parent-scope authentication/authorization for child plugin routes via crafted requests, directly enabling exploitation of a public-facing web application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33804Same product: Fastify Fastify\/Middie
CVE-2026-2880Same product: Fastify Fastify\/Middie
CVE-2026-22031Same product: Fastify Fastify\/Middie
CVE-2026-33808Same vendor: Fastify
CVE-2026-33807Same vendor: Fastify
CVE-2026-25223Same vendor: Fastify
CVE-2026-33806Same vendor: Fastify
CVE-2026-42551Shared CWE-436
CVE-2026-41248Shared CWE-436
CVE-2026-27444Shared CWE-436

Affected Assets

fastify
fastify\/middie
≤ 9.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the flaw in @fastify/middie through upgrading to version 9.3.2.

prevent

Enforces approved authorizations for logical access, ensuring authentication middleware is properly applied to routes in child plugin scopes to prevent bypass.

detect

Vulnerability scanning identifies deployed instances of vulnerable @fastify/middie versions, enabling proactive remediation before exploitation.

References