CVE-2026-33807
@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
Description
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.
INFO
Published Date :
April 15, 2026, 9:52 a.m.
Last Modified :
April 15, 2026, 9:55 a.m.
Remotely Exploit :
Yes !
Source :
openjs
Affected Products
The following products are affected by CVE-2026-33807
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | ce714d77-add3-4f53-aff5-83d477b104bb | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE |
Solution
- Upgrade @fastify/express to v4.0.5 or later.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-33807 vulnerability anywhere in the article.